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1 Introduction 


Air Traffic Management (ATM) has two fundamental objectives: provide safe sep- 
aration between aircraft and maximize the efficiency of the airspace system. To- 
day, the responsibility to maintain appropriate traffic separation resides in a central 
human authority within each sector, the Air Traffic Service Provider (ATSP). The 
ATSP monitors the airspace, issues clearances to all controlled aircraft in the sector, 
and expects the aircraft to follow these clearances. In the current system, as traffic 
levels approach capacity, efficiency is sacrificed for safety and there is little room for 
user preferences. Novel approaches to ATM, e.g., Distributed Air-Ground Traffic 
Management (DAG-TM) [2,3] and Free-ffight [4,5], address capacity problems of 
the current airspace system by distributing the responsibility for traffic separation 
among specially-equipped aircraft in the airspace. In these approaches, on-board 
hardware and ATM software provide surveillance information, alerting for possible 
loss of separation, and advisories for corrective maneuvers. 

On-board conflict detection, resolution, and recovery systems are critical compo- 
nents of new ATM concepts. Conflict detection determines if the path of the aircraft 
conflicts with any other aircraft. Conflict resolution creates a new path that avoids 
conflicts with other aircraft. Conflict recovery creates a path to guide the aircraft 
back to its original destination. The algorithm examined in this paper combines 
conflict resolution and recovery. 

Safety assessment of the correctness of an ATM algorithm amounts to verifying 
that for every possible scenario, conflicts are detected and effectively resolved. Tra- 
ditionally, this is done via testing, human-in-the-loop simulations, and flight exper- 
iments. The traditional techniques are not sufficient for a comprehensive safety as- 
sessment given the enormous number of interactions present in this new distributed 
environment. Testing, simulations and flight experiments are still valuable for defin- 
ing requirements, assessing feasibility, and gaining experience with safety and effi- 
ciency issues. Some limitations of these techniques for safety assessment include: 

• Simulations can only represent phenomena that have been specifically mod- 
eled. 

• Biased selection of scenarios may limit the correctness of any generalized claims 
made from a collection of simulation results. 

• Flight experiments are too expensive to obtain statistically significant results. 

• The set of possible scenarios is too large to obtain reasonable coverage with 
testing, simulation, and experimentation. 

In this paper we propose the first critical step — algorithm verification — in a 
formal approach to the safety assessment of future ATM systems; we then provide an 
extended example of this step. Formal indicates that the model of the ATM system 
and its properties are stated unambiguously by mathematical formulae, and that all 
claims are accompanied by rigorous proofs. When the formal proof is checked by a 
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computer program we refer to this as a mechanically checked proof or a mechanical 
verification. 1 

As an illustration of this approach, the formal verification of an algorithm for 
air traffic conflict resolution and recovery, called RR3D [1], is presented. A conflict 
resolution and recovery algorithm can be considered a state-based geometric conflict 
detection and resolution (CD&R) algorithm that satisfies arrival time constraints, 
see [6]. Such an algorithm may be seen as a building block for strategic conflict 
resolution [7]. In [1] Geser, et al. present a proof of the RR3D algorithm; this paper 
formalizes this proof in the mechanical verification system PVS [8]. A proof that 
has not been mechanically verified may contain non-obvious errors that are difficult 
for humans to recognize. A proof that is checked by a computer ensures every detail 
of the proof is throughly examined. 

This paper is organized as follows. Section 2 discusses the rationale for a formal 
safety assessment methodology. Section 3 presents an overview of CD&R modeling 
techniques. Section 4 introduces the resolution and recovery algorithm RR3D. In 
Section 5, RR3D serves as a case study for our formal approach to safety analysis. 
Section 6 summarizes the paper and discusses future research directions. Appendix 
A.l lists minor errors and missing assumptions in the original proof. Appendix 
A. 2 includes additional lemmas used in the verification. Appendix A. 3 maps the 
notations used in this document to the textual representation in PVS. 


2 Rationale for Formal Assessment of ATM Systems 

Digital avionics systems have been used since the early 1970’s. A fly-by-wire aircraft 
such as the Boeing 777 employs safety-critical software in the flight control comput- 
ers. This type of software is largely derived from control theory based on rigorous 
mathematical methods that provide assurance of key properties such as stability. 
Moreover, the basic stability of the aircraft provides protection from occasional 
glitches in the control software. 

On the ground side, most of the software associated with ATM is packaged into 
decision support tools for air traffic controllers, e.g., Center TRACON Automation 
System (CTAS) [9] and User Request Evaluation Tool (URET) [10]. This software 
provides information to controllers in a convenient format to aid them in managing 
the trajectories of the aircraft in their sector. The failure of this software is miti- 
gated by human intelligence that has many sources of information about the aircraft 
under ATM control including the analog display of radar data. Consequently, the 
safety risk resides primarily in the human controllers. The main question to be asked 
about such software is whether the software helps the controllers achieve their oper- 
ational goals. This question is best answered by qualitative human-factors oriented, 

X A computer program that checks proofs is called a theorem prover. A theorem prover rigorously 
enforces the rules of mathematical logic and ensures that every step of the proof follows directly 
from primitive inference rules of the logic. Traditional mathematical proofs are checked through a 
social peer-review process which over decades identifies any errors in these proofs. Since proofs of 
software systems are inherently tedious and uninteresting, a social process is not feasible. Therefore, 
we rely on theorem provers to discover errors in our proofs. 
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statistical assessments. 

Future ATM concepts under development will utilize software in ways that are 
fundamentally different from the past. Many of these concepts move the safety risk 
directly into executing software. A near-term influence is the ICAO’s (International 
Civil Aviation Organization) Required Navigation Performance (RNP) initiative. 
RNP-based area navigation (RNAV) extends the capabilities of modern airplanes 
by providing more accurate and precise navigation capability leading to more flexible 
airspace routes and procedures in both visual and instrument conditions. Although 
the RNP-based RNAV system should provide greater accuracy, it will necessarily 
rely on more sophisticated on-board software and external infrastructure such as 
Global Positioning System (GPS) and their associated augmentations. In RNP- 
based RNAV environments the safety risk associated with ATM may migrate from 
radar and controllers to on-board software and critical technologies, such as GPS, 
that are also dependent upon software systems. Software consequently may have 
new safety implications because it can fail in ways that cannot be mitigated by a 
human. Hence, it is reasonable to re-examine the methods by which we determine 
that software is correct and reliable. 

The safety assessment of ATM systems cannot be accomplished using simula- 
tion and experimentation alone. To verify that a system containing safety-critical 
software is safe, one must ensure that either there are no sequences of inputs that en- 
counter a hazard-inducing bug in the software or that any errors due to non-verified 
sequences of inputs are mitigated by system level mechanisms. Unfortunately, the 
state space of complex systems is intractably large. The input space must cover the 
3-D airspace in the vicinity of an aircraft and all possible pilot inputs. Even if these 
are discretized, the number of test cases that must be examined to cover the input 
domain would require millions of years of experimentation. 2 Extensive simulation 
can only establish that selected states, from the enormous set of possible states, are 
safe. It is unrealistic to infer that all states, or that most states, are also safe. The 
case is even worse with flight experiments. The number of input cases covered is so 
minuscule that its usefulness for this purpose is virtually nil. Hence the idea that a 
simulation or a flight experiment can establish the safety of an air traffic manage- 
ment concept must be rejected. A complete coverage of the set of possible states 
and a rigorous assessment of safety properties is only possible through a complete 
mathematical proof. The purpose of this paper is to elaborate this type of approach. 
Within this approach, simulation and flight experiments serve a critical new role in 
formal safety assessment, as we will point out below. 

It is impossible to guarantee that an ATM system, like any physical system, 
works perfectly. There are too many unpredictable elements: changing weather, 
system failures, human errors, etc. It has been argued that it is impossible to 
achieve any guarantee about the behavior of an ATM system, and hence that a 
formal analysis of an ATM system is pointless. We disagree with this generalization. 


2 For example, even a tiny program consisting of five 10-bit inputs and ten 10-bit internal variables 
has 2 150 states. If each state could be tested in one microsecond, then complete testing would require 
4.5 x 10+ 31 years. 
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Indeed formal techniques can guarantee that an algorithm is correct 3 for all possible 
scenarios under reasonable, well-defined assumptions. As we will explain later, this 
set of assumptions is a by-product of the formal verification process. We claim that 
a formal verification is an essential step in the validation process of avionics systems. 

Traditional engineering practice involves making predictions about an extremely 
complex and unpredictable environment. This is accomplished by bringing mathe- 
matical rigor to the system’s domain as much as possible, thus minimizing uncer- 
tainty in the system. Because software systems are intrinsically mathematical, one 
might think that there are no unpredictable elements in them. But, the behavior 
of embedded computer systems is dependent on assumptions about the environ- 
ment in which the system operates and the logic contained within the system. If 
the behavior of the computer system is incorrect then either the assumptions or 
the logic must be incorrect. Formal verification ensures that the logic is correct 
but does not address the validity of assumptions. However, formal verification does 
provide a comprehensive list of assumptions and a framework wherein experts can 
validate these assumptions. A formally verified system may still fail, but only if the 
assumptions were not valid . 4 It is therefore critical to validate the assumptions on 
which the system was built. This requires experienced, technical judgment. Human 
inspection, flight experiments and simulation can provide this validation. For ATM 
systems, extensive simulations must be conducted to establish that the operational 
procedures that govern the new airspace concept are adequate to sustain the assump- 
tions that go into the formal analysis of the software algorithms. Flight experiments 
must also be performed to corroborate the assumptions of the simulations (such as 
the effects of winds, dynamics, datalink behavior, etc). A flight experiment provides 
an essential capability by uncovering shortcomings and errors in the assumptions. 
When problems are discovered in flight, the formal analysis must be adjusted to re- 
flect the different characteristics of the environment, or the operational procedures 
must be modified in order to rule-out the discovered problem. 

A credible safety case for an advanced ATM system will be a massive endeavor. 
It should be noted that much of the current ATM research is based upon comparative 
studies. In other words, a new concept is promoted by comparing it to an exist- 
ing capability rather than rigorously establishing that the concept achieves specific 
safety and efficiency objectives. The reason for this is that establishing objective, 
absolute safety and efficiency properties is extremely difficult. The following is only 
a rudimentary list of some of the key characteristics of a comprehensive safety case. 

• All of the requirements for safety have been captured and expressed in a rig- 
orous manner. 

• Verifiable algorithms and designs have been used whose behavior is fully ex- 
plicated via mathematical theorems. 

3 By correct we mean there is a mathematical specification of the algorithm’s intended function- 
ality and for all possible inputs it provides that functionality. 

4 By a formally verified system we mean that not only the algorithm has been shown to be 
correct, but its refinement into software has also been shown to be correct. 
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• Software programs have been developed in accordance with certification stan- 
dards, such as DO-178B, and shown to be faithful implementations of the 
formally verified algorithms using code-level verification. 

• The operating system on which the software implementation executes must 
provide guarantees of integrity and performance. 

• The probability of failure due to physical faults of critical components and in 
the infrastructure systems have been shown to meet reliability requirements. 

• The adequacy of the fault-tolerance strategies have been established using 
fault-trees and Markovian analysis as well as laboratory experimentation. 

• Operational procedures have been shown to be complete and safe and have 
been extensively simulated. 

• Assumptions of the formal analysis have been subjected to extensive investi- 
gation through simulation and flight experimentation. 

• The pilot and controller workloads have been shown to be reasonable via 
simulated and flight experiments. 

• Environmental testing requirements, such as DO-160, have been performed. 

We believe that the existing incremental approach to system safety is not sufficient to 
convince regulatory agencies, such as the Federal Aviation Administration (FAA), 
that these systems are certifiably safe. We believe that safety cases built on the 
foundation of provably correct algorithms and designs is the only viable approach 
for future ATM systems. 

As a first step toward a safety case of an advanced ATM concept, this paper 
presents the mechanical verification of an algorithm for conflict resolution and re- 
covery, called RR3D [1], The original presentation of this algorithm contained a 
hand- written proof of its correctness. Although the documented algorithm is cor- 
rect, the mechanical verification revealed missing assumptions and a few errors in 
the hand-written proof. This supports our belief that mechanical verification is 
valuable even when the system has been diligently analyzed using pencil-and-paper. 

Without a mechanical proof it is almost impossible to find these kinds of errors. 
A missing assumption, for example, could result in a fatal error in a real imple- 
mentation. Since the algorithm has been formally verified, one may be confident 
that it is logically correct. Nevertheless, this algorithm must be translated into a 
machine-executable language such as Ada or C. This will necessitate several more 
steps of logical design, each potentially vulnerable to errors being introduced. There 
are many issues that must be addressed as this is done: 

1. The algorithm operates within the domain of real numbers; an implementa- 
tion operates within the domain of floating point numbers. Therefore, the 
executable code must address overflow, underflow, and all of the usual numer- 
ical problems. 
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2. The algorithm assumes no errors are present in the input data. But even 
the best sensors provide only approximate values. Communication systems, 
such as ADS-B, introduce errors by way of interference, latency, drop-outs, 
etc. The effect of these errors must be handled in a trustworthy manner. 
Also the system must be able to handle some number of computer or device 
failure conditions, i.e., it must be fault-tolerant. Mechanisms to handle these 
errors inevitably are implemented with software, which must also be rigorously 
verified. 

3. The algorithm operates in a real-time environment, so one must establish that 
the system on which the algorithm executes, has a sufficient CPU time budget 
(under all possible scenarios) to complete the algorithm. 

This process of design refinement can be understood as a sequence of more and more 
complete formal models; from the last model, an implementation can be synthesized. 
Each of these formal models can be shown to satisfy all properties of its predecessor 
model. This process is usually referred to as design proof and the final verification of 
the implementation code is called code verification. If the last step is accomplished 
using synthesis, then the auto-code tool must be verified or its output verified against 
the detailed design. This paper accomplishes the first step, namely, the proof that 
the mathematical algorithm meets its specified properties. Future work will also 
address the system level issues. If all of the refinement proofs are accomplished in 
addition to the algorithm proofs, then we can be assured that an implementation 
that complies with the formal assumptions (and this has to be checked with testing 
and simulation) will be free of software design errors. 


3 Conflict Detection and Resolution 

Conflict detection and conflict resolution algorithms are designed to warn about 
potential loss of air traffic separation and to produce avoidance maneuvers to be 
ffown by the aircraft. There is a wide variety of approaches to CD&R because there 
are different ways to (1) predict the future trajectories, (2) define what constitutes 
close proximity of trajectories, (3) calculate the resolution trajectories, and (4) gain 
assurance about the safety and effectiveness of the algorithms. Algorithms also 
differ in the domain of application: (1) how far ahead in time should a conflict 
be detected, (2) whether the algorithm deals with only one conflict at a time or 
handles multiple simultaneous conflicts, and (3) the amount of coordination and 
communication needed to implement the algorithm. 

In [11], Kuchar and Yang propose a taxonomy of CD&R algorithms. For com- 
pleteness, we give an overview of that taxonomy. 

3.1 Kuchar/ Yang Taxonomy of CD&R Algorithms 

The Kuchar /Yang taxonomy classifies CD&R algorithms based upon the following 
criteria: (1) state propagation method, (2) dimensions of the state information, 


6 



(3) detection alert issued, (4) resolution method, (5) dimensionality of resolution 
maneuver, (6) method for handling multiple alerts, and (7) other elements. 

The state propagation method criteria classifies each algorithm as nominal, 
worst- case, or probabilistic. If the future course of aircraft is represented as the 
projected trajectory based on the current state, the algorithm is said to be nominal. 
If all possible future trajectories, subject to only physical constraints (e.g. maximum 
turn rate) are considered, then the algorithm is said to be worst-case. If possible 
future trajectories are assigned probabilities from which a conflict probability is 
calculated, the algorithm is said to be probabilistic. 

The state dimensions criteria classifies an algorithm on the basis of the dimen- 
sions analyzed: horizontal plane only (H), vertical plane only (V), or both (HV). 
The detection alert criteria is just a boolean flag (T/F) which is true if the algo- 
rithm provides an explicit alert. The resolution criteria classifies an algorithm as 
Prescribed (P), Optimized (O), Force field (F), Manual (M), or None (-). Prescribed 
algorithms provide simple resolutions such as “pull up” that require no on-board 
calculation. Optimization approaches provide explicit calculated trajectories that 
remove the conflict. Force field approaches treat each aircraft as a charged par- 
ticle and use modified electrostatic models from which resolution trajectories are 
calculated. This means that the closer two aircraft are to each other the more dra- 
matic the maneuvers to escape from each other. Manual algorithms allow the pilot 
to present a trial solution and provide feedback indicating whether the proposed 
solution avoids conflict. If the algorithm does not provide a resolution, then it is 
designated as “None”. 

The resolution dimensionality criteria classifies an algorithm using four letters: T 
for Turns, V for Vertical maneuvers, S for Speed changes, and C for combined. This 
criteria is best explained by example. The notation TV indicates that resolutions 
produced by the algorithm involve turns or vertical maneuvers but not both at 
the same time. The notation C(TV) indicates that a simultaneous climbing or 
descending turn may be produced. The multiple conflicts criteria can be Pairwise (P) 
for algorithms where multiple conflicts are handled sequentially in pairs or Global 
(G) where all of the conflicts are handled at the same time. 

In this taxonomy, “other elements” include how much information is known 
about the current state of the aircraft, how uncertainty of input data is handled, 
and the degree to which coordination between aircraft is required. 

3.2 Classification of RR3D 

It is straightforward to classify RR3D according to the Kuchar and Yang taxonomy. 
RR3D is a nominal, 3-dimensional algorithm (HV) which produces an alert if a 
conflict is detected, but does not provide the detection capability itself. It is designed 
to be used in conjunction with other detection algorithms. Therefore the RR3D 
algorithm should be classified as not providing conflict detection, i.e. (F). 

The RR3D algorithm produces optimal solutions, i.e., minimal change, that are 
guaranteed to maintain separation and thus is an (O) algorithm. The resolution 
trajectories produced by RR3D only affect one parameter at a time and hence it is 
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a STV algorithm. This is a deliberate design decision. The rationale is that a pilot 
will have reduced workload executing a maneuver if only one dimension changes. 
RR3D also produces recovery trajectories that return the aircraft to its next way- 
point using a second maneuver. The recovery trajectories may involve the change 
of ground speed along with a heading change or an altitude change. Currently, 
RR3D is a pairwise algorithm (P) though work is under way to establish properties 
of some of its solution trajectories in the context of multiple aircraft. Formal proofs 
are under development that the RR3D algorithm is complementary in a systems 
context without any explicit information being passed between aircraft. In other 
words, the evasive maneuvers provided by RR3D, which are executed independently 
on different aircraft, are guaranteed to resolve all conflicts. 

With regard to the “other elements,” the only information that RR3D requires 
is the position and velocity of the own-ship aircraft and any surrounding aircraft. 
The algorithm does not require any other data-exchange or handshakes between the 
aircraft, nor does it use information about the intent of the aircraft. RR3D currently 
does not take input data error into consideration. We envision future versions that 
incorporate support for bounded data errors. 

In summary, RR3D is a nominal, HV, F, O, STV, P algorithm according to the 
Kuchar and Yang taxonomy. 

3.3 Geometric CD&R 

In recent years, new approaches for CD&R have been proposed that use non- 
standard programming techniques such as genetic algorithms [12-14], neural net- 
works [15], game theory [16], graph theory [17], and semi-definite programming [18]. 
Given the computational complexity of some of these techniques, they usually re- 
quire costly time and space discretizations. In contrast to these approaches, the 
geometric approach [5,6,19,20] is based on standard and well-understood analytical 
techniques. 

In Kuchar & Yang’s taxonomy, the geometric modeling correspond to nominal 
trajectories with either optimized or force field resolutions. Nominal trajectories are 
linear projections of the current position and velocity vectors. The conflict resolution 
problem is then expressed as a set of polynomial equations that are solved using 
analytical techniques. Since linear projections produce prediction errors that are 
negligible for short look-ahead times, this approach is also referred to as tactical. 
For large look-ahead times a more strategic approach, that uses the other pilot’s 
intent (e.g., flight plan), is in order. While tactical approaches have well-understood 
geometric descriptions that allow for efficient and clear algorithms, they may fall 
short of pilots’ expectations [3,21]. 

3.4 Resolution and Recovery 

Resolution and recovery algorithms — also called resolution with arrival time con- 
straints in [22] — generate, in addition to the avoidance maneuver, merging trajec- 
tories that bring an aircraft back to its nominal path on schedule. 



Figure 1 illustrates the position of conflict resolution and recovery in an abstract 
distributed ATM environment. On-board sensors capture the current state of the 
aircraft and broadcast this information to all nearby aircraft. When the conflict 
detection module [23] detects a conflict within a look-ahead time, the resolution 
and recovery module computes a list of escape and recovery maneuvers. The list of 
maneuvers is displayed through the cockpit interface for pilot selection or it may be 
forwarded to a navigation system that automatically selects one of the maneuvers. 



Figure 1. On-board Processing of an ATM System 


4 RR3D Algorithm 

In RR3D aircraft are represented by a kinematic particle model with the center 
of gravity as the coordinate point of the particle. Trajectories are assumed to be 
composed of linear segments: speed is constant within a segment and from one 
segment to another acceleration is instantaneous. 

RR3D resolves conflicts between a pair of aircraft: the ownship aircraft executing 
the algorithm onboard and another aircraft, also called the intruder. The intruder is 
surrounded by a cylindrical protected zone P of diameter 2D and height 2 H, where 
D is the required horizontal separation and H is the required vertical separation. 
A conflict is an intrusion of the ownship in the intruder’s protected zone. RR3D 
computes conflict-free, easily performed escape and recovery maneuvers that result 
in trajectories that are tangential to the intruder’s protected zone. The path will 
remain conflict-free, assuming the ownship aircraft follows the recommended path 
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Figure 2. RR3D: Input/Outputs 


and the intruder does not change its path. If the intruder maneuvers, then new 
paths may need to be computed. 

For simplicity, we choose a relative Cartesian coordinate system where the in- 
truder aircraft is fixed at the origin. 3 * 5 RR3D has the following inputs (see Figure 2 
and Figure 3): 

• the relative position s of ownship with respect to intruder. 

• the velocity vector of ownship v Q . 

• the velocity vector of intruder aircraft u*. 

• the arrival time t" at the target point. 

The target point s" is defined as 

S = S + t [V 0 - Vi). 

RR3D outputs a choice of escape and recovery maneuvers for the ownship, i.e., 
triples (v' 0 ,t',v") where v' Q is the escape velocity vector, t' is the time of turn, and 
v" Q is the recovery velocity vector. Figure 2 illustrates RR3D’s functionality for a 
single output. 

In order to reduce the pilot’s workload, the escape and recovery maneuvers are 
constrained in such a way that both v' Q and v" 0 satisfy one of the following conditions: 

1. Change of vertical speed only. The ownship’s vertical speed may change but 
not its heading or ground speed, i.e., v' ox = v ox = v" ox and v' oy = v oy = v" oy . 

2. Change of ground speed only. The ownship’s ground speed may change but not 
its heading or vertical speed. Formally, there is a k > 0 such that v' ox = kv ox , 
v'oy = kv oy , and v' oz = v oz , and there is a j >0 such that v" ox = jv ox , v" y = jv oy , 
and v" oz = v oz . 

3. Change of heading. In the two dimensional projection, the escape course and 

the recovery course (each in absolute coordinates) form a triangle. By the 
triangle inequality, the escape course and the recovery course together are 
longer than the original course. To arrive at the target point at time t" , the 
ownship has to compensate by using a greater average ground speed as opposed 
to its original ground speed. Hence, maneuvers where only heading changes 

5 We are assuming perfect knowledge of the location and velocity of the intruder. 
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are allowed cannot reach the target point in time. In this case, we propose a 
change of heading combined with a change of ground speed at time t' . In the 
escape course, the ownship’s heading may change, but not its ground speed or 
vertical speed; for the recovery course one must allow for a change of ground 
speed as well as well as the heading change. Formally, v'° x + v'^ y = v% x + v'f )y , 
v 'oz = v oz , and v" oz = v oz . 

Furthermore, we require that the escape and recovery courses are tangential to 
the lateral surface of the protected zone. Tangential courses solve a conflict in an 
optimal way. They require the least effort to correct the original trajectory such that 
the ownship arrives at the next way point 6 at the scheduled time while maintaining 
separation. Original, escape, and recovery courses are illustrated in Figure 3. 



Figure 3. Relative movement of the ownship w.r.t. the intruder 

The RR3D algorithm is presented as a set of solutions to polynomial equations 
that represent the initial assumptions, the correctness conditions, one of three con- 
straints listed above, and the tangential requirement. The solutions are categorized 
according to the part of the surface of the protected zone P that is touched during 
the escape and recovery courses. The following cases are identified: line/line (Fig- 
ure 4), line/circle (Figure 5), circle/line (Figure 6), one-circle (Figure 7), circle/circle 
(Figure 8), in-circle (Figure 9), and out-circle (Figure 10). 

The RR3D algorithm is required to satisfy the following properties: 

• Correctness of the Escape Course: The ownship maintains separation 
during the escape course. Let v' = v' Q — v t \ then for all times 0 < t < t' 

s + tv' ^ P (1) 

• Correctness of the Recovery Course: The ownship maintains separation 
during the recovery course. Let v" = v" — vf, then for all times t' <t < t" 

s + t V + (t — t')v" ^ P (2) 

6 RR3D does not consider way points beyond the next one. RR3D could be used in conjunction 
with a strategic planner that alters subsequent way points to meet higher-level objectives such as 
flow management or weather avoidance. 


11 






Figure 4. Line/line (top view, perspective view, and side view) 





Figure 5. Line/circle (top view, perspective view, and side view) 





Figure 6. Circle/line (top view, perspective view, and side view) 
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• Timeliness: The ownship arrives at the target point at the prescribed time. 

s + t'v' + (f - t')v" = s" (3) 

Geser et al. [1] present a proof that the RR3D algorithm is correct, i.e. , satisfies the 
required properties (1), (2), and (3). 

We describe in Section 5 how the paper-and-pencil proofs of [1] are mechanized 
in PVS. 

5 Formal Verification of RR3D 

This presentation of the formal verification of RR3D is organized as follows. First we 
define a few predicates to express the separation requirements and some geometric 
properties, and useful statements about them. Then we prove correctness of the 
escape course, correctness of the recovery course, and timeliness for each case that 
RR3D defines. We divide the cases according to the constraint they satisfy: Vertical, 
Ground-Speed, and Heading. 

5.1 Basic Definitions and Common Lemmas 

In this section we use s,v,t in an generic way, i.e., they do not necessarily refer to 
the relative variables. 

5.1.1 Horizontal and Vertical Separation 

The infinite cylinder is the set of points 

Poo = {(x, y, z) I X 2 + y 2 < D 2 }, 
and the infinite slice is the set of points 

5*00 = {(x,y,z) | \z\ < H}. 

Associated with these regions, we define three predicates about aircraft separa- 
tion in the PVS specification. 

hor_sep?(s) = s x 2 + s y 2 > D 2 (4) 

vert_sep?(s) = |s 2 | > H (5) 

separation?^, v) = Vf : hor_sep?(s + tv) V vert_sep?(s + tv) (6) 

We also define a notion of separation over an interval of time: 
pred_sep?(s,u,t // ) = Vt : 0 < t < t" D hor_sep?(s + tv) V vert_sep?(s + tv) (7) 
The following useful lemma enables one to translate the starting point: 
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Lemma 1 (separationJem) 

separation?(s, v) separation?(s + tv, v) (8) 

Proof. Case 1 [ separation?(s, v) D separation?(s + tv, v)] We need to prove that 
hor_sep?(s + tv + Tv) V vert_sep?(s + tv + Tv) 
for an arbitrary T. From the premise we have 

\/t" : hor_sep?(s + t"v) V vert_sep?(s + t"v) 

Substituting t + T for t" we have the desired result. 

Case 2 [ separation?(s + tv, v) D separation?(s, v) ] Proof similar to Case 1. 

□ 

5.1.2 Correctness Criteria 

A point s at the boundary of the infinite cylinder and moving with velocity v may 
move into or out of the infinite cylinder. The direction is determined by the sign of 
the dot product (. s x ,s y ) • (v x ,v y ). In formulas (9-11) we provide convenient names 
for each direction. 


entry?(s, v) 

— ^ 0 

(9) 

exit?(s, v) 

— SyVy ^ 0 

(10) 

tangent?(s, v ) 

— ^x^x Sy^y — 0 

(11) 


For convenience the tangent case is included in the entry? and exit? definitions. The 
predicates entry_point?(s, v), exit_point?(s, v), and tangent_point?(s, v) are defined as 
the conjunction of s x + s 2 y = D 2 with entry?(s,u), exit?(s,u), and tangent?(s, v), 
respectively. 

We provide correctness criteria for the line and circle cases. 

Theorem 2 (Line Case Correctness) 

tangent_point?(s, v) D separation?(s, v) 

Proof. Let s+tv be a moving point such that s is tangent to P 0 0 . Then, by properties 
of tangent lines, (s x + tv x ) 2 + (s y + tv y ) 2 > D 2 for all times t. 

□ 

Theorem 3 (Circle Case Correctness) 
hor_sep?(s) A vert_sep?(s) 

A (entry_point?(s, v) A s z v z > 0 V entry_point?(s, v) A s z v z < 0) 

D separation?(s, v) 

Proof. Let s + tv be a moving point such that s 2 + s y = D 2 , |s 2 | = H . and either 
(1) s x v x + S y v y < 0 and s z v z > 0 or (2) s x v x + s y v y > 0 and s z v z < 0. Then, for 
all times t. either (a) horizontal separation: (s x + tv x ) 2 + (s y + tv y ) 2 > D 2 or (b) 
vertical separation: |s z + tv z \ > H . 
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5.1.3 Times of Intersection with the Cylinder Lateral Surface 

In order to use the correctness criteria, we have to determine the times t at which 
a moving point s + tv intersects the lateral surface of the infinite cylinder. These 
times are given as the solutions of 

{s x + tvx) 2 + (s y + tvy) 2 = D 2 . (12) 

The predicate hor_speed_gt_0? expresses that the horizontal speed is greater than 
zero: 


hor_speed_gt_0?(u) 44 {v 2 +v 2 > 0). (13) 

If hor_speed_gt_0?(u) holds then (12) reduces to a quadratic equation in t: 

P(v 2 T v y) + 2t(s x v x + SyVy) + s 2 + Sy — D 2 = 0. (14) 

The discriminant A(s,v) is defined as 

A(s, v ) = 2 2 (s x v x + S y V y ) 2 - 4 (v 2 x + Vy)(sl + s 2 y - D 2 ) (15) 

= 4 D 2 (yl + v 2 ) - 4 (s x v y - s y v x ) 2 . 

If A (s,v) < 0 then the moving point does not intersect P 0 0 . In particular, if 
A (s,v) = 0 we have the tangent case. We define a predicate tangent_condition? 
by 


tangent_condition?(s, v) ^ {D 2 {v 2 + v 2 ) = (s x v y — s y v x ) 2 ). (16) 

If tangent_condition?(s, v) holds then the time r(s,v) of closest approach in the 
horizontal plane is the unique solution of (14): 


t(s,v) = 


Sx^x SyVy 

'iP 1 4- 'iP 

u x ' y 


(17) 


The following lemma establishes the fundamental property of r: if the ownship 
is on a course satisfying the tangent condition, then it is at the tangent point at 
time t. 


Lemma 4 (tau_is_tangent_pt) 

hor_speed_gt_0?(i/) 

A tangent_condition?(s, v') 

D tangent_point?(s + v'r(s, v'), v') 

Proof. Expanding the tangent_point? predicate yields two claims: 

(s x + r(a, v')v x ) 2 + ( s y + r(s, v')v' y ) 2 = D 2 , (18) 

(s x + t{s, v')v x )v x + (s y + t{s , v')v y )vy = 0. (19) 
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Proof of (18). Since v' 2 + v' 2 / 0 by hor_speed_gt-0?(i/), the tangent condition 
(16) can be expressed as 


D 2 = ( S xVy - S y v' x ) 


v 'l + v 'y 


„/ 2 


Substituting this into equation (18) and expanding the definition of t(s, v') yields 


s x + 


s x v' x + s y v' y 


„/ 2 


„/ 2 


+ s. 


S x v' r + SyVy 


’ xv x 

72- 


2 


= 


(s x Vy ~ S y v ' x ) 


„/2 


„/2 


Algebraic simplification verifies this equality. This concludes the proof of (18). 
Expanding the definition of r(s,v') in equation (19) yields 


s x + 


Sxv'x + Syv'y 
v x 2 + v y 2 


v'r ) v' + 


S X V X + Syv'y 
2 , ,./ 2 


v y K = °- 


Algebraic simplification verifies this equality. 


5.1.4 Entering and leaving P^. 

If A (s,v) > 0, we get two solutions for (14) which we call Q~(s,v) and 0 + (s,w), 
respectively: 


0 (s,v) 


0 + (s, v) 


2 S X V X 2SyVy \J A (s, u) 


2u2 + 2u2 


2 S X V X 2iSyVy A yj A(s, u) 


2u2 + 2v 2 


(20) 

(21) 


By definition, 0 (s,v) < © + (s,v). 

To facilitate this definition in PVS, a predicate clash? is defined as follows: 


clash?(s,u) = v x 2 + v y 2 > 0 A A(s,u)>0 


(22) 


Thus we have 


©^(s : vector, v : (clash?)) = 


-2 s x v x - 2s y V y ± y^A (s,v) 
2v x 2 + 2v y 2 


(23) 


Before we continue, we need to digress to the solution of quadratic equations. 
The following formula characterizes the solutions of a quadratic equation: 


ax 2 + bx + c = 0 44 discr(a, b, c) > 0 A (x = root(— 1, a, b, c) V x = root(l, a, b, c)). 

(24) 
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The discriminant discr(a, b, c ) and the solutions root(e, a, b, c ) for e = ±1 are defined 
by 


discr(a, b, c) = b 2 — 4ac, 


root(e, a, 6, c) = 


—b + e-y/discr(a, b, c ) 


2a 


The following lemma establishes the key property about 0^: 

Lemma 5 (THETA_main) 

clash?(s,u) A t = Q ± (s,v ) D (s x + tv x ) 2 + (s y + tv y ) 2 = D 


Proof. Application of (24) to (14). 

□ 


(25) 

(26) 


The following two lemmas establish that 0 is an entry point and that 0 + is 
an exit point: 

Lemma 6 (entry Jt_is) 

hor_sep?(s) A clash?(s,u) A -ipred_sep?(s, v, t”) 

D entry_point?(s + vQ~(s, v), v) 

Proof. To show that s + vQ~(s, v ) is an entry point we show that 

(s x + &~(s,v)v x ) 2 + (s y + Q~(s,v)v y ) 2 = D 2 , (27) 

(s x + @~(s,v)v x )v x + ( Sy + @~(s,v)vy)v y < 0. (28) 

THETA_main [Lemma 5] discharges (27). For the claim (28) let us consider the 
derivative of the distance between the two aircraft: 2 (s x + tv x )v x + 2 (s y + tv y )v y , 
which is equal to 2 t(v 2 + v 2 ) + 2 (s x v x + s y v y ). We first show that this is non-positive 
for all t < t(s, v). 



t < T 

(s,v) 


D 

t < ~ 

Sx^x 

+ SyVy 


y2 

u x 

+ V2 y 

D 

2t (vl 

+ v y ■ 


D 

2 t(v 2 x 

+ v y. 

) + 2 (s x Vx Sy^y) ^ 0 


From (20) and (17) it follows trivially that 0 (s,v) < r(s,v). Thus we can substi- 
tute &~(s,v) for t in the previous inequality to get 

2 @~(s,v)(vl + v 2 ) + 2 (s x v x + SyV y ) < 0 

which simplifies to (28). 

□ 
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Lemma 7 (exit_it Js) 


hor_sep?(s) A clash?(s, t>) A -ipred_sep?(s, v, t") 

D exit_point?(s + v0 + (s, v ), v) 

Proof. Proof is similar to proof of entryJtJs except that 0 + (s,u) is used and the 
derivative of the distance is non-negative for t > r(s , v) is shown. 

□ 

Lemma 8 (exploit_pred_conflict) 

t" > 0 A hor_sep?(s) A ->pred_sep? ( s,v,t " ) D clash?(s,u) 

Proof. The following chain of implications provides the proof: 

-ipred_sep?(s, v, t") 

D -i (Vi : 0 <t<t" D hor_sep?(s + vt)) 

D (hor_speed_gt_0?(u) A A (s,v) > 0 A 0 < 0 + (s,u) A Q~(s,v) < t") 

D clash?(s,u) 

The second implication above follows from a characterization, similar to (24), of 
the solutions of the quadratic inequality at 2 + bt + c > 0 where a = v 2 + v 2 and 
b = 2 (s x v x + SyVy) and c = s 2 + s 2 — D 2 derived from (14). 

□ 

Lemma 9 (vert_pred) 

S = S + t V 

A ((s 2 > H A s" > H) V (s z < —H A a" < -H)) 

D pred_sep?(s, v, t") 

Proof. In order to show pred_sep?(s, v, t") it is sufficient to show |s z + t"v z \ > H. 
Case 1 [ s z > H A s" z > H ]: From the first premise and the case conditions we get 
s" z — t"v z > H and s z + t"v z > H. Now if v z > 0 we have s z + t"v z = |s z + t"v z \ and 
hence vertical separation. Otherwise, since s" z is positive, |s^| = s" z = s z + t"v z and 
hence |s z + t"v z \ > H . 

Case 2 [ s z < —H A s" z < —H ] Same approach as Case 1 only substituting — s z for 
s z > 

□ 


We will need (16) and (17) instantiated with the parameters of the escape and the 
recovery courses. For the escape course we get tangent_condition?(s, v') and the time 
of closest approach in the horizontal plane r(s, v 1 ). The moving point s " + (t — t")v" 
describes the recovery course in a translated time t — t". Therefore, for the recovery 
course we get tangent_condition?(s // , v") and the time of closest approach in the 
horizontal plane t(s",v") + t" . 


19 



5.1.5 Reaching altitude H or —H 


If v z 0 then the times when the ownship reaches altitude H or — H are the solutions 
of |s 2 + tv z | = H for t, which we call 9~(s z ,v z ) and 9~(s z ,v z ), respectively: 


9 ( s z ,v z ) = 


-sign {v z )H - s z 


0 + {s z ,v z ) = 


v z 

sign (v z )H - s z 


(29) 

(30) 


The following lemma establishes the main property of 9±: the ownship is at the 
top or bottom of the infinite slice. 

Lemma 10 (reaching_H_theta) 

v z / 0 D | s z + 9 ± (s z ,v z )v z \ = H 

Proof. The condition v z ^ 0 is only required to ensure that 9± is defined. If v z > 0 
then by (29) or (30) we get 

s z + 0 ± (s z ,v z )v z = s z + ±H - s z = ±H, 

the absolute value of which is H. If v z < 0 then 

s z + 0 ± (s z ,v z )v z = s z - ±H — s z = — ± H 


the absolute value of which is H. 


The next lemma establishes another important property of the 9± function: at 
time 9 + (s, v ) the ownship is leaving the infinite slice and at time 9~(s, v ) it is entering 
the infinite slice. 

Lemma 11 (vertical_entry_exit_condition) 

v z / 0 D (s z + 9 + (s z ,v z )v z )v z > 0 A (s z + 9~(s z , v z )v z )v z < 0 

Proof. The condition v z ^ 0 is required to ensure that the function 9± is defined. 
We use the fact that H > 0. 

Case 1 [v z > 0]. By (30) for v z > 0, 

s 2 + 9 + (s z , v z )v z = s z + H - s z = H. 

By replacement, the first claim reduces to Hv z > 0, which trivially holds. Likewise, 
by (29), 

s z + 9~(s z , v z )v z = s z — H — s z = -H. 

By replacement, the second claim reduces to —Hv z < 0, which trivially holds. 

Case 2 [v z < 0]. By (30) for v z < 0, 

s z + 9 + (s z , v z )v z = s z — H — s z = -H. 
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By replacement, the first claim reduces to —Hv z > 0, which trivially holds. Likewise, 
by (29), 

s z + 6~(s z ,v z )v z = s z + H - s z = H. 

By replacement, the second claim reduces to Hv z < 0, which trivially holds. 

□ 


The next lemma states that values can be translated in time. 

Lemma 12 (theta_translation) 

v z + 0 D 0 ± (s z + t"v z ,v z ) = 0 ± (s z ,v z ) - t" 

Proof. The condition v z ^ 0 is required to ensure that the terms Q±(s z + t"v z ,v z ) 
and 0 ± (s z , v z ) are defined. Replacement by (29) and (30) yields 

isign (v z )H - (s z + t"v z ) _ isign (v z )H - s* ^ 

V z V z 

which resolves by algebraic simplification. 

□ 


5.1.6 Time of Switch 

The time t' is the time at which the ownship switches from the escape course to the 
recovery course. This time satisfies 



t\v' - 

//\ 

■v ) 

,/// 

= t[v — 

//\ 

V ), 


or in coordinate notation 







t'(v’ x - 

f/\ 

V x ) 

= t {v x - 

ff\ 

-v x ), 

(31) 


ifr'y - 

Vy) 

= t (Vy- 

//\ 

-Vy), 

(32) 


t'{v' z - 

V z ) 

= t (v z - 

//\ 

-v z ). 

(33) 

Equations (31) and (32) ; 

allow us 

to express v" and v" x in terms of t’ , t" . 

,V X ,v' x ,Vy,V( 

which allows us to compute 

the velocity 

vector from the arrival time. 



// 

v x 

_ t' 1 

’v x - t'v 4 
t" - t' 

1 

(34) 



t n 

'v v — t'v' 




a 

v v 


y y 

t" - 1' 


(35) 
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5.2 Correctness of Vertical Speed Case 

We impose the constraint that only the vertical component of the velocity vector 
may change. Formally, we define a predicate verticaLchange? as follows 

verticaLchange?(v, w) (v x = w x ) A (v y = w y ) (36) 

Constraining both v' and v" , we have: 

vertical_change?(r;, v') A vertical_change?(r/, v") 

In terms of absolute coordinates, we have: 

v'ox = v ox = v" x and v oy = v oy = v" oy . (37) 

If the relative ground speed is zero (v x + v y = 0) then either the ownship is inside 
the infinite cylinder (s x + s y < D 2 ), and there is no vertical solution, or else there 
is no conflict. Otherwise, 0 - (s,u) and 0 + (s,u) are defined as in equations (20) 
and (21), and we may have the following independent solutions. 


5.2.1 In-circle 


If 0 < 0 ( s,v ) < t" and \s" z \ > H then there is an in-circle solution (Figure 9). It 
is given by t' = 0 _ (s,u), 


V 0 z = Viz + 

v'oz = v iz + 

+// 


-sign«)g-< 

t''{v oz - Viz) - {t" - Q-(s,v))(v" z - v iz ) 


0-(s,u) 


t ( v oz v oz ) „ 

I '-'nv. 


@-{s,v) 

The following theorem has been formally verified for this maneuver: 


Theorem 13 (vertJn_circle_correctness) 


hor_sep?(s) 

A -ipred_sep?(s, v, t") 

A vertical_change?(u + Vi, v' + Vi) 

A vertical_change?(u / + Vi, v" + Vi) 

A t'>0Ai'<i" 

A t' = 0“(s, v) 

A s" = s + t"v 

A \s" z \ > H 

„ sign (s")H-s“ 

/N ° z t! — t" 

t"v z - it" - t')v" z 
z t' 

D separation ?(s,v') A separation ?(s + t'v',v") 
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Proof. First we use exploit_pred_conflict [Lemma 8] to obtain clash?(s, u). Next we 
observe that 


s z + t'v' z = sign (s")H (38) 

by cross multiplying the formulas for v" z and v' z in the premise and using some 
algebra. 

Part 1 [Establish separation?(s, v')] Using separation Jem [Lemma 1] we change 
the goal to establishing separation at s + t'v', i.e., to separation?(s + t'v' ,v'). Ap- 
plication of Circle Case Correctness [Theorem 3] at s + t'v' will give us the desired 
result, provided that we discharge its premises. We do so by proving that 

\s z + t'v' z \ = H, (39) 

entry_point?(s + t'v', v'), (40) 

(s 2 + t'v' z )v' z > 0. (41) 


The claim (39) follows from (38). 

To show (40), we establish entry_point?(.s + @ _ (s, v)v, v) by entryJtJs [Lemma 6]. 
Since entry_point? only involves the x and y components of the vector, and we have 
verticaLchange? {v,v'), we also get entry_point?(s + @ _ (s, v)v' , v'). The claim (40) 
follows by t! = Q~(s,v). 

This leaves us to establish (41). Replacing with (38). This reduces to s\gn(s z )Hv z > 
0. To prove this goal we perform a case split on s" z > 0. 

Case [s’ z > 0] : Expanding sign and using the fact that H is positive, the goal becomes 
v' z > 0. Using the formula for v' z in the premise, and using t' > 0, the goal becomes 

t v z — t v z + t v z > 0 

From the formula for v z in the premise, we obtain t'v" z — t"v z = H — s z , which can 
be used to simplify the goal to 


H - s" z + t"v z > 0 


Using s" = s + t''v, we get: 

H — s z > 0 

From the premise |s 2 | > H, we get s" z > H. From vert_pred [Lemma 9], we get 
(s z > H A s" z > H) V (s z < —H A s" z < — H) which suffices to finish off this case. 


Case [s z < 0]: Analogous. 

Part 2 [Establish separation?(s+tV, v")] Since s" = s+t"v , the goal can be rewritten 
as: 


separation?^' — v"{t" — t'),v") 
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An application of Circle Case Correctness [Theorem 3] at s" — v"(t" — t') will give us 
the desired result, provided that we can discharge its premises. We do so by proving 
that 


\4-(t"-t'K\=H, (42) 

entry_point?(s w — (t" — t')v" , v"), (43) 

{s" z - (t" - f»" > 0. (44) 


Substitution of the definition of v" in (42) and algebraic simplification yields 
|sign(s([)iL| = H which is trivially true. 

For (43), we first show entry_point?(s + 0 _ (s, v)v, v) using entryJtJs [Lemma 6]. 
Then the claim (43) follows by vertical_change?(u, v'), vertical_change?(i/, v"), t’ = 
0 _ (s,u), and algebra. 

Finally let us prove (44). We first cross-multiply the premise that defines v" z to 

get: 

(t 1 — t")v" = s\gr\(s' z )H — s" z . (45) 

Substituting in (44) and simplifying yields 

sign (s z )v z H > 0 (46) 


Case splitting on the argument to sign: 

Case 1 [s” > 0]: From the premise | s" \ > H we get s" z > H. Expanding sign in (45) 
we have (t 1 — t")v z = H — s" z . Thus (t* — t")v" z < 0; hence v" z > 0. The claim (46) 
follows. 

Case 2 \s' z < 0]: From the premise \s' z \ > H, we get s z + t"v z < —H. Expanding 
sign in (45) we have (t 1 — t")v" = — H — s z . Thus (t' — t")v" > 0; hence v" z < 0. The 
claim (46) follows. 

□ 


5.2.2 Out-circle 


If 0 < Q + (s,v) < t" and |s z | > H then there is an out-circle solution (Figure 10). 
It is given by t' = 0 + (s,u), 


v'oz = v iz + 
v'oz = Viz + 


-sign (v z )H 
@+(s,v) 
t (Voz Vi z ) 
¥ 



and 


- 0+(s,u)(u(, z 

- Q + (s,v) 


t"v oz - @ + (s,v)v' oz 
t" - 0+(s,v) 


Viz) 


The verification of this solution was facilitated by the proof of the following 
lemmas about the signs of the vectors: 
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Lemma 14 (signs_are_opposite) 


-ipred_sep?(s, v, t") A \s z \>H 
D sign(s^) = -sign(^) 


Lemma 15 (signs_ve_z) 


-ipred_sep?(s, v, t") A |s 2 
A ./ _ -sign [y z )H - s z 


> H A C > 0 
A v' z / 0 


D sign(^) = sign(^) 


Lemma 16 (signs_vr_z) 


A 

A 

A 

A 


-ipred_sep?(s, v, t") 

|s 2 | > H 

/ -sign (v z )H - s z 
Vz ~ C 

t" -C> 0 A C > 0 
// t"v z -v' z C 

v *= t" — c 

D sign(u") = — sign(s^) 


Proofs of these lemmas are given in Appendix 7.2. 


The following theorem has been formally verified for this maneuver: 

Theorem 17 (vert_out_circle_correctness) 
hor_sep?(s) 

A vertical_change?(u, v') A verticaLchange?(V, v") 

A 0 < Q + {s,v) A Q + (s,v) < t" 

A |s z | > H 

, _ -s\gn(v z )H - ^ 

0+(s,u) 

« t'v z - G + (s,v)v' z 
Vz t"-e+{s,v) 

A ->pred_sep?(s, v, t") 

D separation?(s, v') A separation?(s + v'0 + (s, v), v") 

Proof. First we use exploit_pred_conflict [Lemma 8] to obtain clash?(s,u). Next, 
cross-multiplying the premise that defines v' z yields 

0 + (s, v)v' z = —sign (v z )H - s z . (47) 


25 



Part 1 [separation?(s, i/)]: First we use separation_lem [Lemma 1] to translate the 
starting point to s + Q + (s,v)v' . The goal becomes: 

separation?(s + 0 + (s, v)v', v ') 

An application of Circle Case Correctness [Theorem 3] at s + i/0 + (s, u) will give us 
the desired result, provided that we can discharge its premises. We do so by proving 
that 


|s* + 0 + (s,u)?4| = H, 

(48) 

exit_point?(s + 0 + (s, v)v' , v'), 

(49) 

(■ s z + e + (s,v)v' z )v' z < 0. 

(50) 


The claim (48) follows trivially from (47). 

Next let us prove (49) . The lemma exitJtJs [Lemma 7] is used to show exit_point?(.s+ 
Q + (s,v)v,v). But since exit_point? only involves the x and y components of the 
vector, and we have vertical_change?(u, v'), we also get (49). 

This leaves us to prove (50). The case v z = 0 is trivial, so assume v' z / 0. First, 
lemma signs_ve_z [Lemma 15] yields sign(u(,) = sign(u^). Substituting this and (47) 
in (50) and simplifying yields 

—sign (v z )Hv z < 0 (51) 

A case split whether or not v z > 0, and expanding the definition of sign completes 
this part. 

Part 2 [separation?(s + u'0 + (s, v), v")\. 

An application of Circle Case Correctness [Theorem 3] at s + v'Q + (s,v) will give us 
the desired result, provided that we can discharge its premises. We do so by proving 
that 


+ 0 + (s,u)u(,| = H , 

(52) 

exit_point?(s + 0 + (s, v)v z ,v"), 

(53) 

( s z + 0 + (s, v)v' z )v z < 0. 

(54) 


The claim (52) follows trivially from (47). 

Next let us prove (53). The lemma exitJtJs [Lemma 7] establishes exit_point?(s+ 
0 + (s,u)u,u). We use the independence of x and y coordinates and the premises 
verticaLchange? (v,v') and vertical_change?(i/, v") to derive (53). 

This leaves to prove (54). First we simplify to get the goal: 

s z v z + v' z v z Q + (s,v) < 0 (55) 

Next, we use signs_are_opposite [Lemma 14] and signs_vr_z [Lemma 16] to obtain 
sign(s^) = — sign(u^) and sign(u") = — sign(s^), respectively. Substituting these 
and (47) in (54) and simplifying yields 

—sign (y' z )v z H < 0. 
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A case split whether or not v z > 0, and expanding the definition of sign completes 
the proof. 

□ 


We also prove a theorem that states the arrival in time: 


Theorem 18 (vert_out_circle_timeliness) 

hor_sep?(s) A ->pred_sep?(s, v, t") A 
vertical_change?(u, v') A vertical_change?(?/, v") A 

0 < t" A 0 < Q + (s,v ) A Q + (s,v ) < t” A 
, _ -sign (v z )H - s z A 
Vz ~ Q+(s,v) 

.,/ _ t”v z - 0 + (s, v)v' z 
Vz ~ t"-@+{s,v) 

D s + t"v = s + 0 + (s, v)v' + — 0 + (s, v))v" 


Proof. First, we use exploit_pred_conflict [Lemma 8] to obtain clash?(s, v). Cross- 
multiplying the definition of v' z yields: ui.© + (s,u) = —sign (v z )H — s z . Cross- 
multiplying the definition of v" z yields: v z (t" — 0 + (s,u)) = t"v z — Q + (s,v)v' z . Then 
algebraic simplifications and rewriting will finish the proof. 

□ 


5.2.3 One-circle 

If 0 < 0 - (s,u) and 0 + (s,w) < t" then for both e 6 {—1,1} there may be a one- 
circle solution. Figure 7 shows the case where a one-circle solution exists for each 
e = 1 (left) and e = —1 (right). If es z < H and es z < H , then we compute the 
vertical speeds 


v'oz = v iz + 

v "oz = Viz + 


sH - 
0-(s,u)’ 
eH - s'' 
Q + (s,v) - t' r 


If v' oz ^ Vg Z , then t! is given by (33) which simplifies to 


t' 


— v 


— v 


// 

OZ 

// 

OZ 


In this case, there is a one-circle solution for e given by v' oz , v” z , and i! . 

We remark that there are no vertical solutions that touch the lines, nor circle- 
circle solutions. The following theorem has been proved in PVS: 
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Theorem 19 (vert_one_circle_correctness) 


hor_sep?(s) A -ipred_sep?(s, v, t") A 

vertical_change?(v + vi,v' + vi) A vertical_change?(r/ + vi, v" + vi) A 
0 < t' < t" A 0 < Q~(s,v) A 0 + (s,u) < t" A 


s = s + t v A es z < H A es(,' < H A 


= 


ft 

v z = 


A 


t"i 

eH - s z 

eH — s" z 
0+(s,t>) - t n 


A 


- v" 


/ / ft A i / i// 

v z +v z N t = t — 

v z v z 

D separation?(s, f / ) A separation?(s + v w ) 

Proof. First, we use exploit_pred_conflict [Lemma 8] to obtain clash?(.s,u) 


Part 1 [separation?(s, v')\. First we cross-multiply the premise that defines v' z to get: 

0 _ (s, v)v z = eH — s z (56) 

Next we use separation Jem [Lemma 1] to translate the starting point to s+0 - (s, v)v' . 
The goal becomes: 

separation?(s + ®~(s, v)v' , v') 

An application of theorem Circle Case Correctness [Theorem 3] at s + v'Q~(s,v) will 
give us the desired result, provided that we can discharge its premises. We do so by 
proving that 


|s 2 + 0 (s,v)v z 1 = H, 

(57) 

entry_point?(s + 0 _ (s, v)v f ,v'), 

(58) 

( s z + 0“(s, v)v' z )v' z > 0. 

(59) 


The claim (57) follows immediately from (56). 

Next let us prove (58). The lemma entryJtJs [Lemma 6] is used to show 
entry_point?(s + ®~ (s,v)v,v). But since entry_point? only involves the x and y 
components of the vector, and vertical_change?(u, v') holds, we also get (58). 

This leaves to prove (59). Substituting (56) simplifies the goal to 

eHv' z > 0 

From the premise es z < H, equation (56) and the fact that e = 1 V e = — 1 we 
obtain: ev' z > 0 from which the goal trivially follows. 


Part 2 [separation?(s + t'v', v")\: Cross-multiplying the premise that contains the 
definition of v" z yields 

(0 + (s, v) — t")v z = eH — s" z . (60) 
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First we note that 


s + t'v' = s" — (t" — t')v" (61) 

This is easily put together from the premise s" = s + t"v, the cross-multiplied 
definition of t', and the fact that the the x and y components of v, v' and v" are the 
same. We use (61) to change the goal to 

separation?^" — (t" — t')v" ,v"). 

Next we use separationJem [Lemma 1] to translate the starting point to s" — (t" — 
t')v" + (0 + (s,u) — t')v" . Applying the equality 

s” - ( t " - t')v" + (0 + (s, V ) - t')v" = s' + (@ + (s, v) - t")v" 


this yields 


separation?(s" + (@ + (s, v) — t")v" ,v"). 

An application of theorem Circle Case Correctness [Theorem 3] at s" + (0 + (s,u) — 
t")v" will give us the desired result, provided that we can discharge all its premises. 
We do so by proving that 


K + (@ + 0> v ) - t")v'z\ = H, (62) 

exit_point?(s" + (0 + (s, v) — t")v" , v"), (63) 

{s" z + (0 + (s, v) - t")v")v" < 0. (64) 

The claim (62) reduces by (60) to the trivial \eH\ = H. 

Next let us prove (63). The lemma exitJtJs [Lemma 7] shows exit_point?(s" + 
(0 + (s,u) — t")v,v). Then we exploit the fact that the x and y components are the 
same (because this is a vertical maneuver). This shows (63). 

This leaves to show (64). Substituting (60) in (64) yields 

eHv" z < 0 (65) 

Multiplication of (60) by e and rewriting by ee = 1 yields 

e(0 + (s, v) — t")v z = H — es" z . 

By the premise es z < H , this is positive, so ev" z > 0 and so (65) follows. 

□ 

5.3 Ground-Speed Cases 

The ground-speed cases contain six independent solutions. There are four line and 
circle cases: line/line (Figure 4), line/circle (Figure 5), circle/line (Figure 6), and 
circle/circle (Figure 8) and two more cases: in-circle (Figure 9) and out-circle (Fig- 
ure 10). Each case is proven separately; however, the line and circle cases are 
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so similar that two intermediate lemmas (line_correctness and circle_correctness) are 
proven that greatly aid the proof of the more general theorems. For each case, three 
conditions must be proven — the correctness of the escape course, the correctness 
of the recovery course, and the timeliness of the complete maneuver. Correctness 
refers to the property that the aircraft do not violate vertical and horizontal sepa- 
ration criteria and timeliness refers to the property that the aircraft complete the 
maneuver at the time of the original operation. 

All cases of the RR3D algorithm, we assume that there is a conflict along the orig- 
inal course 7 and that the relative velocity is defined as the ownship velocity minus the 
intruder velocity. These two conditions are captured in the RR3D_criteria?(s, v, v Q , v^, t") 
predicate: 


RR3D_criteria?(s, v, v a , Vi, t") 4A 

-ipred_sep?(s, v, t") A v = v Q — v z . (66) 

For the ground-speed only cases, we impose the constraint that only the ground 
speed of the ownship changes in each step. Formally, there are factors k,j > 0, such 
that 


v'ox = kv ox, v' oy = kv oy , v' oz = v oz , (67) 

Vox = jv ox , v" oy = jv oy , v" oz = v oz . (68) 

By the definition of the relative velocity we define the ground_speed_only_absolute?(u, A, v 0 , vf) 
predicate as follows 

ground_speed_only_absolute?(u, A, v 0 , Vi) 4A 

A > 0 A V x — A Vox Vix A V y — A V 0 y Viy A V z — V 0 z Vi z (69 ) 

Using this predicate and the definitions in (67) and (68), we can constrain the 
relative escape and recovery velocities for the ground-speed only cases by 

ground_speed_only_absolute?(u / , k, v a , Vi) A ground_speed_only_absolute?(u // , j, v a , Vi) 

Occasionally we will use the derived property v' z = v z = v z which is proven in the 
following lemma: 

Lemma 20 (vert_speeds_equal) 

RR3D_criteria?(s, v, v a , v z ,t ") 

A ground_speed_only_absolute?(u / , k, v 0 , v t ) 

A ground_speed_only_absolute?(-t/', j, v 0 , v z ) 

D v z = v' z A v z = v" 

Proof. From the ground_speed_only_absolute? premises we derive that v' z and v z are 
equal to v oz — '>H Z . We also know from (66) that the relative velocity v is equal to 

'in other words, there is not predicted separation along the original course 
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v Q — V{ . Breaking this equation into its z coordinates we see that v z = v oz — Vi z . 

□ 


During the development of correctness and timeliness properties, we will need 
some properties common to all ground speed only cases. The time_definition? pred- 
icate combines the equations (31) and (32). It is defined as 

time_definition?(u, v',v",t' , t") 

t'Wx - V") = t"(V X ~ V") A t'(Vy - Vy) = t"( V y - Vy). ( 70 ) 

First we observe that k ^ j: 

Lemma 21 (constants_not_equal) 

RR3D_criteria?(s, v, v 0 , Vi, t") 

A hor_speed_gt_0?(u o ) 

A ground_speed_only_absolute?(u / , k, v 0 , Vi) 

A ground_speed_only_absolute?(u w , j, v 0 , Vi) 

A time_definition?(u, v' , v" , t' , t") 

A (separation?(s, v') V separation?(.s + t"v, v")) 

D k^j 

Proof. Since the ownship’s ground speed must be different from zero (by the predi- 
cate hor_speed_gt_0?), either v ox / 0 or v oy / 0. If v ox / 0 then we get 

t\k-j) = t"{l-j) (71) 

from (31). If v oy ^ (] then we get (71) from (32). 

We proceed with a proof by contradiction. Assume k = j. Observe that t" > 0 
follows from (66). If t" = 0, then by (66), we must start and end in a conflict. 
Therefore neither of the two separation conditions can be true. This is a contradic- 
tion. 

If t" > 0 and k = j, then 0 = 1— j follows from (71). So k = j = 1 which means 
that v = v 1 = v" by (67) and (68). This contradicts the premise ->pred_sep?(s, v, t"). 
Thus we have k ^ j. 

□ 


If k ^ j then t' is defined uniquely by (71) which is equivalent to 


j t"(l -j) 

k~ j 


In PVS, this is established in the following lemma. 


(72) 
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Lemma 22 (escape_time_defined) 


A 

A 

A 

A 

A 

D 


RR3D_criteria?(s, v, v Q , Vi,t ") 
hor_speed_gt_0?(v o ) 

ground_speed_only_absolute?(t/, k, v a , vf) 
ground_speed_only_absolute?((; // , j, v Q , vf) 
time_definition?(u, v' , v" , t' , t") 

k+j 

k-j 


Proof. Since the ownship’s ground speed must be different from zero (by the pred- 
icate hor_speed_gt_0?), either v ox / 0 or v oy / 0. If v ox / 0 then we get (71) 
from (31). If Voy / 0 then we get (71) from (32). Since k / j by assumption, using 
algebra we get the claim. 

□ 


5.3.1 Timeliness 


Recall the that timeliness condition states that the maneuver is completed at the 
same time as the original course and the resulting position is the same as the original 
ending position. The lemma that proves the timeliness condition is presented below. 
Since this lemma does not depend on the specific definitions of the k and j constants, 
all six of the ground-speed-only cases use the same timeliness lemma. 

Lemma 23 (gs_timeliness) 


A 

A 

A 

A 

D 


ground_speed_only_absolute?(u / , k, v 0 , vf) 
ground_speed_only_absolute?(u // , j, v 0 , vf) 

v = V 0 - Vi 

k^j 

( k - j ) 

s + vt" = (s + vt ') + v"{t" — t ') 


Proof. Expand both ground_speed_only_absolute? predicates, then substitute the def- 
initions of v' and v " into the implication. Next, substitute the definition of v (pro- 
vided in the assumptions) into the implication. Separate the implication into its 
x. y. and z coordinates and the result will be these three equations 


Voxt Vj x t 


,// ,// 

V t) y f V{yt 


Vozt V iz t 


n f _ jt" 

( jVox Vix)t H : : ( kv ox Vj x ) 

k~J 

1 1 / " — j l" 

(.jVoy Viy ) t H - : {kv 0y Vjy ) 

k ~ 3 
t" - jt" 

(voz V{ z jt H - : (v oz V { z ) — 

k~J 


i ■ ( J V ox Vj x ) , 

K ~ J 

j, _ j (j y oy v iy)i 
, ■ \Poz Vi z ) , 

k — J 
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each of which can be reduced by algebra. 

□ 


5.3.2 Line and Circle Correctness 

There are four line and circle cases line/line (Figure 4), line/circle (Figure 5), cir- 
cle/line (Figure 6), and circle/circle (Figure 8). These cases are quite similar to 
each other and will be described together. Each of these cases can be viewed as a 
combination of an escape line subcase or an in-circle subcase combined with either 
a recovery line subcase or a out-circle subcase. If we prove the correctness of each 
of these four subcases then the subcases can be suitably assembled into proofs for 
each of the four line and circle cases. Recall that correctness means that during 
the escape or recovery course, there will be no violations of both horizontal and 
vertical separation constraints. The escape and recovery line subcases are proven 
with line_correctness [Lemma 24]. The in-circle and out-circle subcases are proven 
with circle_correctness [Lemma 27]. 

The conditions for both the escape and recovery line subcases can be covered 
with a single predicate line_case? which is defined as 

line_case?(s, v) 4A 

hor_speed_gt_0?(u) A tangent_condition?(s, v). (73) 

Instantiating this predicate as line_case?(s, v') yields an escape line subcase and 
instantiating it as line_case?(s + t"v, v") yields a recovery line case. Correctness can 
be proven without relying on either of these two instantiations: any parameters may 
be used. To prove the correctness of line subcases we use the lemma line_correctness. 

Lemma 24 (line_correctness) 

hor_speed_gt_0?(u) 

A tangent_condition?(s, v) 

D separation ?(s,v) 

Proof. From tau_is_tangent_pt [Lemma 4], we can show tangent_point?(s + T(s, v)v, v ) 
provided that hor_speed_gt_0?(u) and tangent_condition?(s, v). These two conditions 
are met since they are assumptions of line_correctness. Then by the line_case_correctness 
theorem [Theorem 2], tangent_point?(s+r(s, v)v, v) implies separation?(s+r(-s, v)v, v). 
Finally observe that by separationJem [Lemma 1], separation?(s+r(s, v)v, v ) is equiv- 
alent to separation?(.s, v). 

□ 


In the original paper [1] the line subcases are defined by the solutions of the 
equation 

k 2 [D 2 {v 2 ox + v 2 y ) - ( s x Voy - s y v ox ) 2 } + 

2 k[ D ( V ox Vix + VoyViy) 4“ ( S x V 0 y SyVox)(.S x Viy Sy^ix^p (74) 

T Viy) — ( S X Viy SyVix) = 0. 
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In order to use line_correctness [Lemma 24] for them, we must show that equa- 
tion (74) implies the tangent condition. 

Lemma 25 (constant_for_line) 

ground_speed_only_absolute?(u, k, v a , vf) 

A a — D ( v ox A v Q y) ( s x v 0 y SyV ox ) 

A 6 — 2( D (v ox Vj x A V 0 yViy) A ( S x Voy S' u V ox ) ( At ^iy A/Ax ) ) 

A c — D~{vi x A v iy ) ( s x Viy SyVix') 

A 0 = afc 2 A bk A c 

D tangent_condition?(s, u) 

Proof. Expanding the definitions of ground_speed_only_absolute? and tangent_condition? 
followed by extensive algebraic manipulation proves this lemma. 

□ 


An alternate form of this lemma is useful when one is computing the roots of the 
quadratic instead of assuming that the quadratic relationship already holds. This 
alternate lemma is used in the proofs of the algorithmic form of the ground-speed 
only solutions. 

Lemma 26 (constant_for_line_alt) 

ground_speed_only_absolute?(u, k, v 0 , Vi) 

A Cl — D ( V ox A Voy) (Sx'Uoy SyV ox ) 

A b — 2( D (v ox Vj x A V 0 yViy) A (s x Voy S y V 0 x ) ( Vjy 

A c = D 2 {y 2 ix A v 2 y ) - ( s x v iy - s y v ix ) 2 
A (n = 0 A i / 0 A 1 = —c/6 V 

a/0 A b 2 — 4 ac >0 A (k = root(— 1, a, 6, c) V k 
D tangent_condition?(s, u) 

Recall that root(— 1, a, 6, c) and root(l, a, b, c) denote the two roots of the quadratic 
equation with coefficients a, b, and c. 

Proof. The proof proceeds as two cases. 

Case 1 [a = 0 A 6/0 A k = —c/6]. Instantiate constant_for_line [Lemma 25] 
then substitute the definitions a = 0 and k = — c/6 into the quadratic equation from 
this lemma. Reduce with algebra. 

Case 2 [a / 0 A 6 2 — 4ac >0 A (k = root(— 1, a, 6, c) V k = root(l, a, 6, c))]. 
Using (24), we get ak 2 + bk + c = 0. Then instantiating constant_for_line [Lemma 25] 
discharges this proof. 

□ 


Sy^ix)) 


= root(l, a, 6, c))) 


The correctness of both the in-circle and out-circle subcases are proven in cir- 
cle_correctness [Lemma 27]. The conditions for an in-circle course are captured in 
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the predicate in_circle_case? (s, v, v" , t"), which is defined as: 
in_circle_case?(s,'u,u // ,f // ) 4A 

v z / 0 A entry_point?((s + t"v) + (9 + (s z ,v z ) — t")v" ,v") (75) 

The conditions for a out-circle course are captured in the predicate out_circle_case?(s, v'), 
which is defined as: 


out_circle_case?(s, v') 4A 

v' z ^ 0 A exit_point?(s + 9~(s z , v' z )v' , v') (76) 

Observing the similarities between the two circle subcases allows the definition and 
proof of a single lemma, circle_correctness, that will help in each subcase. This lemma 
should be instantiated at the point s along the v' vector for an escape course (the 
out_circle_case? case) and at the point s + t"v along the v" vector for a recovery 
course (the in_circle_case? case). 

Lemma 27 (circle_correctness) 

v z ^ 0 

A (exit_point?(.s + 9~(s z , v z )v, v) V entry_point?(s + 0 + (s z , v z )v, u)) 

D separation ?(s,u) 

Proof. The proof proceeds as one of two cases: either the point is an entry point 
or an exit point. For each case, the v z =/=■ 0 condition is required to ensure that the 
9 ± {s z ,v z ) expression is defined. 

Case 1 [exit_point?(s + 9~(s z , v z )v, u)]. Instantiating the circle_case_correctness 
theorem [Theorem 3] at the point s-\-9~ (s z ,v z )v along the vector v implies separation?(s+ 
9~(s z , v z )v, v), provided that we can discharge its premises. We do so by proving 
that 


| s z + 9 (s z ,v z )v z \ > H, 

(77) 

exit_point?(s + 9~(s z , v z )v, v ), 

(78) 

(s* + 9~(s z ,v z )v z )v z < 0. 

(79) 


Condition (77) is met by applying reaching_H_theta [Lemma 10]. The lemma 
states that |s 2 + 9~ {s z ,v z )v z \ = H, and we have H > H. Condition (78) is 
met trivially by the exit_point? assumption. Lemma vertical_entry_exit_condition 
[Lemma 11] discharges (79). Since these three conditions have been met, the cir- 
cle_case_correctness theorem yields separation?(s + 9~ (s z ,v z )v,v). Applying separa- 
tionJem [Lemma 1], separation?(s + 9~(s z , v z )v, v) is equivalent to separation?(s, v). 

Case 2 [entry_point?(s+0 + (s^, v z )v, u)]. Like Case 1, but with 9 + and entry_point? 
instead of 9~ and exit_point?, respectively. 

□ 
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Circle subcases are defined in the original paper [1] by certain defining equations. 
Therefore, we must show that those equations imply an escape course or a recovery 
course. First we will show that the quadratic presented in the paper 

\ 2 t 2 (v 2 ox + v 2 oy )+ 

‘2\t( K S x Vox tVi x Vox T Sy^oy tViyV 0 y ) T (SO) 

(s x - tv ix ) 2 + (Sy - tViy ) 2 - D 2 = 0. 

for both subcases implies that s+tv is at the cylinder lateral surface. For convenience 
we introduce a predicate on_cyl? for this purpose, defined by 

on_cyl?(s) <tA si + s 2 = D 2 . (81) 


The value t is instantiated by 0~(s z , v z ) for an escape course and by 0 + (s z ,v z )—t" 
for a recovery course. The value A can be the constant k for an escape course or the 
constant j for a recovery course. 


Lemma 28 (constant_for_circle) 

ground_speed_only_absolute?(u, A, v 0 , Vi) 

A a = t 2 {y 2 0X + v 2 0 y ) 

A b 2t(S X V OX tVj x V nX T SyV 0 y t/Oiy V ( ,y ) 

A C = (s x - tv ix ) 2 + (. Sy - tV'iy ) 2 - D 2 

A 0 = T bX T c 
D on_cyl?(s + tv) 


Proof. Expanding the definitions of ground_speed_only_absolute?, and on_cyl? fol- 
lowed by extensive algebraic manipulation proves this lemma. 

□ 


In a similar way to how both lemmas constant_for_line [Lemma 25] and con- 
stant_for_line_alt [Lemma 26] are developed to define the constants of a line case, an 
alternate form of constant_for_circle [Lemma 28] is useful when one is computing the 
roots of the quadratic instead of assuming that the quadratic relationship already 
holds. This alternate lemma is used in the proofs of the algorithmic form of the 
ground-speed only solutions. 
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Lemma 29 (constant_for_circle_alt) 


ground_speed_only_absolute?(u, A, v Q , vf) 

A a = t 2 (v 2 ox + v 2 oy ) 

A 6 — 2 t(s x V ox tVjxVox A SyV 0 y tVjyV 0 y) 

A c = (s x - tv ix ) 2 + (sj, - tv iy ) 2 - T> 2 

A (a = 0A6/0AA = —c/6 V 

a/0 A b 2 — 4ac > 0 A (A = root(— 1, a, 6, c) V A = root(l, a, 6, c))) 
D on_cyl?(s + bu) 


Proof. The proof proceeds as two cases. 

Case 1 [a = 0 A 6/0 A A = —c/6]. Instantiate constant_for_circle [Lemma 28] 
then substitute the definitions a = 0 and A = —c/6 into the quadratic equation from 
this lemma. Reduce with algebra. 

Case 2 [a / 0 A b 2 — 4 ac >0 A (A = root(— 1, a, 6, c) V A = root(l, o, 6, c))]. 
Using (24) we get aA 2 + 6A + c = 0. Then instantiating constant_for_circle [Lemma 28] 
discharges this proof. 

□ 


From the original paper [1], the equations used to define a circle subcase for an 
escape course include equation (80) and require the translated location multiplied 
by the escape velocity must be greater than or equal to zero, that is, 

($X “1“ ^(A Vox U:r)) (Au 0 ; 2 ; V ix ) T (Sy T t ( X'V 0 y ^4y))(AU 0 y V iy ) A 0. (82) 

In this paper, we say that an out-circle subcase (76) must be an exit point. Since we 
have already shown that (80) implies on_cyl?, we now need to show that the on_cyl? 
predicate and (82) imply an exit point. 

Lemma 30 (constant_for_circle_exit) 

ground_speed_only_absolute?(u, A, v a , vf) 

A on_cyl?(s + tv) 

A (&x “b ^(Au oa , Vix)) (^V qx ^ix) 4“ /y "b t(Au 0 y Uy))(Au 0 y Viy) T 0 

D exit_point?(s + tv, v) 


Proof. Expansion of exit_point? and on_cyl? solves the goal. 

□ 


From the original paper [1], the equations used to define a circle subcase for an 
recovery course include equation (80) and require 

($X + tf\v 0x ^aO) (Au 0 3 ; Vix) “b (<Sy T t{\v 0 y Viy))(y\v 0 y Uy) / 0. (83) 
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In this paper we say that an in-circle subcase (75) must be an entry point. Since we 
have already shown that (80) implies on_cyl?, we now need to show that the on_cyl? 
predicate and (83) imply an entry point. 


Lemma 31 (constant_for_circle_entry) 

ground_speed_only_absolute?(u, A, v 0 , Vi) 

A on_cyl?(s + tv) 

A ($x T ^(Au 0 ^ 'Uix))(^'U 0 x Vix) T (^y T t(\v 0 y Viy))( i \v 0 y V^y) 0 

D entry_point?(s + tv, v) 


Proof. Expansion of entry_point? and on_cyl? solves the goal. 

□ 


5.3.3 Line and Circle Cases 

We next present the proofs of the four line and circle cases lineJine [Theorem 32], 
circleJine [Theorem 33], and I i ne_ci rcle [Theorem 34], circle_circle [Theorem 35]. For 
each case three conditions must be proven: the correctness of escape course, the 
correctness of the recovery course, and the timeliness of the maneuver. Recall that 
correctness refers to the property that the aircraft do not violate vertical and hor- 
izontal separation criteria and timeliness refers to the aircraft completing the ma- 
neuver at the time of the original operation. To prove correctness for a line course 
(either escape or recovery) we use line_correctness [Lemma 24], To prove correctness 
for a circle course (either escape or recovery) we use circle_correctness [Lemma 27]. 
Finally, to prove timeliness we use gs_timeliness [Lemma 23]. Three predicates are 
used to define the type of escape and recovery course: line_case? predicate (73) 
in_circle_case? predicate (75) out_circle_case? predicate (76) 

For the cases involving an escape line course, we check for sanity that 0 < 
< t'. For the cases involving a recovery line course, we check for sanity that 
t' < t(s" ,v") + t" < t". Furthermore, for the cases involving a circle course, we 
assume that relative vertical speed is not zero, i.e., v z ^ 0; otherwise, there is no 
solution. In all the cases, we check for sanity that k,j > 0. 

The first case we will consider is the case with a line escape course and a line 
recovery course. 
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Theorem 32 (lineJine) 


RR3D_criteria?(s, v, v 0 , Vi,t ") 

A hor_speed_gt_0?(u o ) 

A ground_speed_only_absolute?(i/, k, v Q , Vi) 

A ground_speed_only_absolute?((; // , j, v a , Vi) 

A line_case?(s, v') 

A line_case?(s + t"v,v") 

A time_definition?(u, v',v",t', t") 

D 

separation?(s, v') 

A separation?(s + t"v, v") 

A s + t"v = (s + t'v') + (t" — t')v" 

Proof. Step 1 [Escape Correctness]. First instantiate line_correctness? [Lemma 24] 
for the escape course. This discharges the claim separation?(s, v'). 

Step 2 [Recovery Correctness]. Next use [Lemma 24] again for the recovery 
course. That is, instantiate the starting point is set to s + t"v, and the velocity to 
v" . This discharges the claim separation?(s + t"v,v"). 

Step 3 [Timeliness]. Lemma constants_not_equal [Lemma 21] supplies k j. 
With it, escape_time_defined [Lemma 22] yields a formula for t' . Both formulas are 
in turn used by gs_timeliness [Lemma 23] to yield the claim s + t"v = (s + t'v') + 
{t" — t')v" . The condition v = v Q — Vi is discharged by expanding the RR3D_criteria? 
premise (66). 

□ 

Next we will consider the case with a circle escape course and a line recovery 
course. 

Theorem 33 (circleJine) 

RR3D_criteria?(s, v, v 0 , Vi,t") 

A hor_speed_gt_0?(u o ) 

A ground_speed_only_absolute?(-(/, k, v 0 , Vi) 

A ground_speed_only_absolute?(u // , j, v Q , Vi) 

A out_circle_case?(s, v) 

A line_case?(s + t"v,v") 

A time_definition?(u, v' ,v" 1 t' , t") 

D 

separation?(s, v) 

A separation?(s + t"v, v") 

A s + t"v = (a + t'v') + [t" - t')v" 
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Proof. Step 1 [Escape Correctness]. First instantiate circle_correctness [Lemma 27] 
at the starting point s along the velocity vector v' . This lemma discharges the 
separation?(s, v') predicate provided that we can discharge its premises. We do so 
by proving that 

v' z / 0, 

exit_point?(s + 0~(s z , v' z )v ' , v'). 

Both conditions are given by the out_circle_case? premise (76). 

Step 2 [Recovery Correctness]. Next line_correctness [Lemma 24] is used for the 
recovery course. That is, instantiate the starting point is set to s + t"v, and the 
velocity with v" . This discharges the claim separation?(.s + t"v,v"). 

Step 3 [Timeliness]. Exactly as in [Theorem 32]. 

□ 

Next we will consider the case with a line escape course and a circle recovery 
course. 

Theorem 34 ( I i ne_ci rcle) 

RR3D_criteria?(s, v, v Q , Vi,t ") 

A hor_speed_gt_0?(u o ) 

A ground_speed_only_absolute?(u / , k, v 0 , vf) 

A ground_speed_only_absolute?(u // , j, v 0 , Vi) 

A line_case?(s, v') 

A in_circle_case?(s,r;,u // ,t // ) 

A time_definition?(u, v r ,v",t', t") 

D 

separation?(s, v') 

A separation?(s + t"v, v") 

A s + t"v = (s + t'v') + [t" — t')v" 

Proof. Step 1 [Escape Correctness]. First instantiate line_correctness [Lemma 24] for 
the escape course. This discharges the separation?(.s, v') predicate. 

Step 2 [Recovery Correctness]. Lemma circle_correctness [Lemma 27] is used for 
the recovery course. This lemma is instantiated with a starting point of s + t"v 
along the v" velocity vector. This lemma discharges the separation?(.s + t"v,v") 
claim provided that we can discharge its premises. We do so by proving 

< + 0, (84) 

entry_point?((s + t"v) + 6 + (s z + t"v z , v")v" , v"). (85) 

From the first part of the in_circle_case? predicate (75), we see v z 0. Using 
vert_speeds_equal [Lemma 20] we see that v z = v". Since v z / 0 and v z = vf, 
condition (84) is satisfied. 
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In order to prove (85), we expand the in_circle_case? premise, and show that 

(s + t"v ) + 9 + {s z + t"v z , v")v" = (s + t"v) + ( 9 + (s z , v z ) - £ /, )'u // . (86) 

For, if (86) is true then the two entry_point? statements coincide. Lemma theta_translation 
[Lemma 12] turns (86) into 

(s + t"v) + ( 0 + {s z , v") - t /, )u ,/ = (s + t ,, 'u) + (6* + (s^, v z ) - t")v" 

Since v" z = v z by [Lemma 20], the two sides of the equation are equal; so condi- 
tion (85) holds. This implies separation ?(s + t"v,v"). 

Step 3 [Timeliness]. Exactly as in [Theorem 32]. 

□ 

Finally we prove correctness in the case of a circle escape course and a circle 
recovery course. 

Theorem 35 (circle_circle) 

RR3D_criteria?(s, v, v 0 , Vi,t ") 

A hor_speed_gt_0?(u o ) 

A ground_speed_only_absolute?(u / , k, v a , Vi) 

A ground_speed_only_absolute?(u // , j, v a , Vi) 

A out_circle_case?(s, v') 

A in_circle_case?(s, v, v" , t") 

A time_definition?(u, v',v",t', t") 

D 

separation?(s, v ') 

A separation?(s + t"v, v") 

A s + t"v = (s + t'v') + (t" — t')v" 

Proof. Step 1 [Escape Correctness]. First instantiate circle_correctness [Lemma 27] 
at the starting point s along the velocity vector v' . This lemma discharges the 
separation?(s, v') predicate provided that (A) v' z ^ 0 and that (B) the point s + 

9~ (s z ,v' z )v r along the v' velocity vector is an exit_point?. Both of these conditions 
are given in the out_circle_case? predicate (76). 

Step 2 [Recovery Correctness]. Lemma circle_correctness [Lemma 27] is instanti- 
ated with a starting point of s + t"v along the v" velocity vector. This lemma dis- 
charges the separation?(s+t // u, v ") claim provided that we can discharge its premises. 

We do so by proving 

v" / 0, (87) 

entry_point?((s + vt") + 9 + {s z + t"v z , v")v" ,v"). (88) 

From the first part of the in_circle_case? predicate (75), we get v z / 0. Using 
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vert_speeds_equal [Lemma 20] we see that v z = v". Since v z ^ 0 and v z = v", the 
condition (87) is satisfied. 

In order to prove (88), we expand the in_circle_case? premise, and show that 

(s + vt") + 9 + (z(s + t"v),v")v" = (s + vt ") + ( 9 + (s z , v z ) - t")v" . (89) 

For, if (89) is true, then the two entry_point? statements coincide. Lemma theta_translation 
[Lemma 12] turns (89) into 

(s + vt") + ( 9 + {s z , v") - t")v" = (s + vt") + ( 9 + (s z , v z ) - t")v" 

Since v" = v z by [Lemma 20], the two sides of the equation are equal; hence condi- 
tion (88) holds. This proves separation?(s + t"v, v"). 

□ 

5.3.4 In-Circle Case 

This section contains the proof of the in-circle case (Figure 9). Like the proofs of 
the line and circle cases, three conditions must be proven: the correctness of escape 
course, the correctness of the recovery course, and the timeliness of the maneu- 
ver. Recall that correctness refers to the property that the aircraft do not violate 
vertical and horizontal separation criteria and timeliness refers to the completing 
the maneuver at the time of the original operation. To prove correctness of the 
escape course we use circle_correctness [Lemma 27]. and to prove timeliness we use 
gs_timeliness [Lemma 23]. To prove the correctness of the recovery course, neither 
of the correctness lemmas can help, so the proofs are developed from lower level 
lemmas. These lemmas are presented here. 

Lemma 36 (vertical_criterion_sz_vz_ge_0) 

\s z \ = H A s z v z > 0 

D VT : T > 0 D \s z + Tv z \> H 

Proof. Consider four cases: 

Case 1 [v z < 0 A s z + Tv z < 0]: Then s z < 0 by s z v z > 0, so s z = —H. The goal 
— (s z + Tv z ) > H follows from T > 0 and v z < 0. 

Case 2 [v z < 0 A s z + Tv z > 0]: From T > 0 we get Tv z < 0. Adding this to s z < 0, 
it yields s z + Tv z < 0 which contradicts the assumption. So this case is impossible. 

Case 3 [v z > 0 A s z + Tv z < 0]: Then s z > 0 by s z v z > 0. From T > 0 we 
get Tv z > 0. Adding this to s z > 0, it yields s z + Tv z > 0 which contradicts the 
assumption s z + Tv z < 0. So this case is impossible. 

Case 4 [v z > 0 A s z + Tv z > 0]: Then s z > 0 by s z v z > 0, so s z = H. The goal 
s z + Tv z > H follows from T > 0 and v z > 0. 

□ 


Lemma 37 (vertical_criterion_sz_vz_le_0) 



Proof. The proof is similar to vertical_criterion_sz_vz_ge_0. 

□ 


Theorem 38 ( i n_ci rcle) 

A 

A 

A 

A 

A 

A 

A 

A 

A 


A 

A 


RR3D_criteria?(s, v, v a , Vi,t ") 
hor_speed_gt_0?(u o ) 

ground_speed_only_absolute?(ti / , k, v 0 , v t ) 
ground_speed_only_absolute?(ri // , j, v Q , Vi) 

v z / 0 

0 < 9 + (s z ,v z ) 

0 + {s z ,v z ) < t" 

entry_point?(s + 9 + {s z , v z )v' , v ') 
time_definition?(u, v', v", t’ , t") 

t' = 9 + (s z ,v z ) 

separation?(s, v') 
pred_sep?(s + t'v ' , v" , t" — t') 
s + t"v = (s + t'v') + (t" — t')v" 


Observe, that the pred_sep? condition is used here instead of the separation? condi- 
tion. separation? says that the if the aircraft continue to fly with the same relative 
velocity, then the two aircraft will be separated for all time. This is a much stronger 
condition than is required. The pred_sep? condition says that the aircraft will be 
separated for (at least) the given amount of time. 

Proof. Step 1 [Escape Correctness]. First instantiate circle_correctness [Lemma 27] 
at the starting point s along the velocity vector v' . This lemma discharges the 
separation?(s, v') predicate provided that v' z 0. This can be verified since one 
assumption is v z 0 and since v z = v' z from [Lemma 20]. 

Step 2 [Recovery Correctness]. Expanding pred_sep? leaves us with 

hor_sep?((s 2 + t'v' z ) + tv"), 

vert_sep?((s 2 + t'v'f) + tv"). (90) 

We only need to prove one of these conditions and we choose to prove (90). Ex- 
pansion of vert_sep? and usage of the definition of t' leaves to prove that for all 
0 < t < t" — t ' , 

\(s z + 8 + (s z ,v z )v' z ) + tv"\ > H. (91) 

Let us instantiate vertical_criterion_sz_vz_ge_0 [Lemma 36] at the point s+# + (s 2 , v")v" 
along the velocity vector v" . Then (91) will be satisfied by vertical_criterion_sz_vz_ge_0 
provided that (A) |(s 2 +0 + (s 2 , v z )v z )+tv"\ = H and that (B) {s z +6 + (s z , v")v")v" > 
0. Condition (A) is met by applying reaching_H_theta [Lemma 10]. Condition (B) 
is met by applying vertical_entry_exit_condition [Lemma 11]. 

Step 3 [Timeliness]. Exactly as in [Theorem 32]. 

□ 
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5.3.5 Out-Circle Case 


This section contains the proof of the out-circle case (Figure 10). Like the proofs of 
the line and circle cases, three conditions must be proven: the correctness of escape 
course, the correctness of the recovery course, and the timeliness of the maneuver. 
Recall that correctness refers to the property that the aircraft do not violate vertical 
and horizontal separation criteria and timeliness refers to the completing the maneu- 
ver at the time of the original operation. To prove correctness of the recovery course 
we use circle_correctness [Lemma 27]. and to prove timeliness we use gs_timeliness 
[Lemma 23]. To prove the correctness of the escape course, neither of the correctness 
lemmas can help, so the proofs are developed from lower level lemmas. Unlike all 
the other ground-speed only cases, this case must explicitly state the premise that 

Mj- 

Theorem 39 (out_circle) 

RR3D_criteria?(s, v, v 0 , Vi,t ") 

A hor_speed_gt_0?(u o ) 

A ground_speed_only_absolute?(u / , k, v Q , v t ) 

A ground_speed_only_absolute?(u // , j, v a , Vi) 

A v z / 0 
A 0 <6~(s z ,v z ) 

A 0~(s z ,v z ) < t" 

A exit_point?(s + 9~(s z , v z )v', v") 

A time_definition?(u, v\ v" , t' , t") 

A t’ = 9~(s z ,v z ) 

A k^j 
D 

pred_sep?(s, v', t’) 

A separation?(s + t"v,v") 

A s + t"v = (s + t'v') + (t" — t')v" 

Observe, that the pred_sep? condition is used here instead of the separation? condi- 
tion. separation? says that the if the aircraft continue to fly with the same relative 
velocity, then the two aircraft will be separated for all time. This is a much stronger 
condition than is required. The pred_sep? condition says that the aircraft will be 
separated for (at least) the given amount of time. 

Proof. Step 1 [Escape Correctness]. Let us prove pred_sep?(s, v', t'). Expanding 
the pred_sep? leaves to prove one of 

hor_sep?(s z + tv' z ), 

vert_sep l(s z + tv' z ). (92) 
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We choose to prove (92). Expansion of vert_sep? leaves to prove 

|s 2 + tv' z | > H (93) 

for all t such that 0 < t < t' . If we instantiate vertical_criterion_sz_vz_le_0 [Lemma 37] 
at the point s + 9~(s z , v z )v' along the velocity vector v' , then it will yield the result 

|s 2 + tv" + 9~(s z ,v")v" | > H (94) 

for all t < 0, provided that (A) \s z +9~(s z ,v z )v z \ = H and (B) (s 2 +# _ (s 2 , v z )v' z )v' z < 
0. Condition (A) is met by v z = v' z from [Lemma 20] and by reaching_H_theta 
[Lemma 10]. Condition (B) is met by vertical_entry_exit_condition [Lemma 11]. 

To finish the proof of pred_sep?(s, v', t') we choose t = t — 9~(s z ,v"). Then 
from (93) and since v' z = v" 

s z + tv' z = s z + tv z + 9~(s z ,v z )v' z = s z + tv" + 9~(s z ,v")v z (95) 

From this result the inequalities (94) and (93) coincide. We moreover have t < 0 
since t < t' and t! = 9~(s z ,v"). 

Step 2 [Recovery Correctness]. Lemma circle_correctness [Lemma 27] is instanti- 
ated with a starting point of s + t"v along the v" velocity vector. This lemma dis- 
charges the separation?(s+t // u, v") claim provided that we can discharge its premises. 
We do so by proving 

v" z f 0, (96) 

exit_point?((s + t"v) + 9~(s z + t"v z , v")v" , v”). (97) 

Lemma vert_speeds_equal [Lemma 20] yields v z = v". Since v z ^ 0 by premise, the 
condition (96) holds. In order to prove (97), we show 

(s + t"v) + 9~(s z + t"v z , v")v" = s + 9~(s z ,v z )v', (98) 

which entails the exit_point? premise and claim (97) coincide. Lemma theta_translation 
[Lemma 12] yields 9~(s z + t"v z , v") = 6~(s z ,v") — t". Since v" = v z by [Lemma 20], 
the latter is equal to 9~(s z ,v z ) — t". This turns (98) into 

(s + t"v) + (9~(s z ,v z ) - t")v" = s + 9~(s z ,v z )v' 

which is a restatement of the timeliness condition and can be proven with gs_timeliness 
[Lemma 23] as in Step 3 below. Hence condition (97) holds. This finishes the proof 
of separation?(s + t"v, v"). 

Step 3 [Timeliness]. Exactly as in [Theorem 32]. 

□ 

5.4 Correctness of Heading Case 

In this section we prove correctness of escape courses that only change the heading, 
and recovery courses that only change the heading and the ground speed, of the 
ownship’s velocity vector. This is expressed formally as 

v ox + v oy = v ox + v oy and v oz = v oz = V oz . 
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For the various solutions, satisfaction of this property is not obvious; it has to be 
explicitly verified. 

We have 6 independent solution categories: line/line (11), line/circle (lc), cir- 
cle/line (cl), circle/circle (cc), in-circle (ic), and out-circle (oc). 

5.4.1 Important Lemmas 

The proofs of the main theorems for these categories are facilitated by correctness 
and heading only lemmas for each of the following cases: line escape, line recovery, 
circle escape, circle recovery, and in_circle recovery, which are reused several times 
to establish the main results. Several timeliness lemmas (timeliness, alpha_timeliness, 
vor_timeliness) establish that the evasive maneuver reaches the final destination at 
the same time as the original trajectory. 

5.4.2 The alpha_calc Function 

The following function is used throughout this section. This function is used in the 
computation of the heading change. 

s 2 _ D 2 

alpha_calc(£, s) = IF D 2 = s x 2 THEN — — 

2iS X Sy 

pi qp s x Sy T sD\j s x 2 + Sy ^ 

D 2 - s x 2 

ENDIF 


5.4.3 Frequently Appearing Premises 

For the cases involving an escape line course, s must not be at the boundary of the 
infinite cylinder, i.e. , s 2 + s 2 > D 2 . The calculated time of closest approach r(s, v ') 
must satisfy 0 < r(s, v') < t 1 . Symmetrically, for the cases involving a recovery line 
course, s" must not be at the boundary of the infinite cylinder, i.e., s " 2 + s " 2 > D 2 , 
and the time of closest approach t(s",v") + t" must satisfy t’ < t(s",v") + t" < t" . 
For the cases involving a circle course, the initial relative vertical speed must not 
equal zero, i.e., v z ^ 0; otherwise, there is no solution. In other cases horizontal 
speeds must not equal not zero. (e.g. hor_speed_gt_0?(u')). Finally, it is necessary 
to relate certain variables explicitly: v' = v oe — v^, v = v Q — Vi, and s" = s + t"v. 

5.4.4 The Line Escape Theorem 

Theorem 40 (line_escape) If a 1 = alpha_calc(— 1, s) or a' = alpha_calc(l, s) holds, 
and the quadratic equation 

v' 2 (l + a' 2 ) + 2v , x {v ix + a'vi y ) + v 2 x + v 2 iy -v 2 ox -v 2 oy = 0. (99) 

has solutions x\ and X 2 , i-e., the discriminant is non-negative: 

discr(l + ex , 2 Vi x ~F ex v^y, v,j- -)- v^y v ox ^ 0 
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then 


S X 2 + Sy 2 > D 2 

A 2 , 2 / 2 I 2 

Vox Voy / Vjx T V Z y 

A hor_speed_gtJ3?(r/) 

A (4 = xi V ^ = x 2 ) 

A Vy = a v x 

D separation?^, ?/) 

Proof. First we establish that t? / 0: If v' x = 0 then (99) simplifies to v zx 2 + 
u*?/ 2 = Vox 2 + v oy 2 which contradicts the second premise. Next using separation Jem 
[Lemma 1] we change the goal to separation?(.s + r(s, v')v' , v'). The goal is further 
reduced by line_case_correctness [Theorem 2] to tangent_point?(s+r(s, v')v' , v'). Next 
using tau_is_tangent_pt [Lemma 4] the goal is simplified to tangent_condition?(.s, v') 
which expands to 

D [V x +Vy) = ( S X Vy ~ SyV x ) 

Rewriting the goal with the last premise we get D 2 {v' 2 +(a'v' x ) 2 ) = ( s x a'v x — s y v' x ) 2 . 
Dividing both sides by v' 2 yields: 

D 2 ( 1 + a' 2 ) = ( s x a ' - Sy) 2 

which can be rearranged into a quadratic equation in a 1 : 

a ,2 (D 2 — s 2 ) + 2 a' s x s y + D 2 — s 2 = 0. (100) 

If D 2 = s 2 , the goal simplifies to 

2 a's x s y + D 2 -s 2 y = 0. (101) 

which follows trivially from the definition of ol given by alpha_calc. Otherwise, 
Equation (100) has solutions 

-s x s y + e'dJs 2 + s 2 - D 2 

OL = 

D 2 — s 2 

where e' G {—1, 1}- This also matches the definition of ol given by alpha_calc. 

□ 

Theorem 41 (line_esc_hd_only) If the quadratic equation (99) has solutions x\ and 
X 2 , then 

2, 2 ^ n2 a 2, 2/ 2, 2 

&x J~ Sy P D A V ox T V Q y 7“ Vi x T Viy 
A v' = v' Q — Vi A ( v' x = x\ V v' x = X 2 ) 

A Vy = a'v' x A v' oz = v oz 

D heading_only?(u 0 , v' 0 ) 
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Proof. Equation (99) can be re-arranged to 

/ 2 . 2 i 2 i / 2 /2 | q / 2 2 i o / / r\ 

V x V%x “ 1 “ ^iy + V x O. + ZjV x Vix Vox Voy “ 1 “ 2 V x ViyOi — 0 , 

and then to 


(v x Vj x ) + (o v x H - Vjy ) — v ox -j- . 

Replacing with the premises a'v' x = u' and v' = v' a — Vi turns this into 


( / . \2 / / . \2 2,2 
( V ox ^ix Vix ) + \V 0 y Viy T Ay ) — Vox "4" V Q y • 


which simplifies to v' ox +v' oy = v ox 2 +v oy 2 which is the expanded heading_only?(u 0 , v' 0 ). 


5.4.5 The Line Recovery Theorem 
Theorem 42 (line_recovery) 

a" = alpha_calc(e, s ") 

A s" = s + t"v A hor_speed_gt_0?(u w ) 

A i" + t' A sf + sf - D 2 > 0 A s" + 0 

A — a ,, i4 0 

. „ v v — a” v x 

A t' = t" y 


v'y ~ a"v' x 
t"v T ~ t'v' 


A V x = 

X t" - tj 

A u" = a"v x A v' z = v z A v" = v z 

D separation ?(s + t'v',v") 

Proof. First we show that 

s + t'v' = s" ~(t" -t')v".. (102) 

Since s" = s + t"v we need only show that 

if - t')v" = t"v - t'v'. 

To prove this we show (31), (32), and (33). From the premise defining v x , we get 

v x {t" — t') = t"v x — t'v'x (103) 

by cross-multiplying, which establishes (31). From the premise defining t", we get 

v y t — v x a t = v y t — v x a t 
by cross-multiplication. Rearrangement yields 

v y t + a [y x t — v x t ) = Vyt , 
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which can be rewritten using the premise defining v" x as: 

v y t + a v x (t — t ) = v y t . 

By v'y = a"v", this turns into 

V y [t — t ) = t V y — tV y 

which establishes (32). Since v' z = and v" z = we also have (33). 

Now that we have proven (102), we may rewrite the goal of the theorem to 

separation?^ 7 — (t" — t')v",v") 

Using separationJem [Lemma 1] we change the starting point for the goal: 
separation?^ 77 — (t" — t')v" + (r(s 77 , v") — t' + t")v " , v") 


which can be simplified to 

separation?(s 77 + t(s" , v")v" ,v") 


Using line_case_correctness [Theorem 2] this goal can be reduced to tangent_point?(s 77 + 
r(s 77 , v")v", v"). Next using tau_is_tangent_pt [Lemma 4] the goal is simplified to 
proving tangent_condition?(s 77 , v") which expands to 


7 ~) 2 / //2 . // 2 s / // // // // s .2 

D K V X + Vy ) = (s x u - 


We consider two cases: 

Case 1 [D 2 = s x 2 \. In this case (104) reduces to 


D 2 vf = 


n // // // // i //2 //2 


Expansion of alpha_calc yields 


a 


s" 2 - D 2 
2 s''s'' 


This and the premise v” = a" solve (105). 

Case 2 [ D 2 ^ s^ 2 ]: In this case expansion of alpha_calc yields 


(104) 


(105) 


„ s’^ + eDJsf + sf-Di 

° ~~ D 2 - s" 2 

which solves the quadratic equation 

1? (1 + a ) = (s x a — s y ) . 
Multiplying both sides by u" 2 yields 

(1 + a ID®, = (s.a -Sy) v x . 

from which (104) follows by the premise v” = a" . 

□ 
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5.4.6 The Circle Escape Theorem 

First we show that the constructed solution is at the cylinder boundary. 
Lemma 43 (cir_esc_cyl) If the quadratic equation 


v 2 A + vB + C = 0, (106) 

defined by 

A = 4 0 2 ((s x - 0v ix ) 2 + ( s y - 0v iy ) 2 ), 

B = 4 (s x - 9v ix )6E , 
c = E 2 - 4 (s y - 0v iy ) 2 0 2 {v 2 ox + vly), 

E = (s x - 0v ix ) 2 + (s y - Oviy) 2 + e 2 v 2 x + 0 2 v 2 y - D 2 

is a proper quadratic equation, i.e., A / 0, and has solutions v\ and V 2 , i-e. 
discr(T, B, C) > 0, then 

v z ~f~ 0 

A sign(— 2 (s y - 6viy)6v' oy ) = sign(E + 2 (s x - 9v ix )9v' ox ) 

h v ox T e (j! j ~ A v ox 
A {v' ox = vi V v' ox = v 2 ) 

A v' oy = \Jv ox 2 + v oy 2 - v' ox 2 
D on_cyl?(s + 9v') 

Proof. Since v' ox is a solution of the quadratic equation (106), we have: 

Av'ox + Bv' ox + C = 0 

Substituting A, B, C\ using the squared premise that defines v' oy : 

/2 2 i 2 /2 

V = v V — V 
oy ox 1 oy ^ oxi 

and simplifying turns this into 
[-2 (s y - 9v iy )9v ' oy ] 2 = 

[(fix — 9vi x ) 2 + ( Sy — 9viy) 2 + 2 (s x — 9vi X )9v ox + 9 ~v' 2 x + 9 2 v ( f y — D 2 ] 2 . 
By premise, 

sign(— 2(sj, - 9v iy )9v' oy ) = sign(E + 2 (s x - 9v ix )9v' ox ), 
so we can take the square-root of both sides and further simplify to obtain: 

(s x + 9{v 0x — Vixf) + ( Sy + 9{v 0 y — Viy )) = 

which is the expansion of on_cyl?(s + 9v'). 

□ 
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Theorem 44 (circle_escape) If the quadratic equation 


v 2 A + vB + C = 0, 

defined by 

A = 4 0 2 {(s x - 9v ix ) 2 + (s y - dv iy ) 2 ), 

B = 4 (s x - 6v ix )6E , 

C = E 2 -4(s„ -6v iy ) 2 6 2 (v 2 ox + v 2 oy ), 

E = (s x - 6v ix ) 2 + (s y - dv iy ) 2 + e 2 v 2 ox + 9 2 v 2 oy - D 2 


is a proper quadratic equation, i.e., A / 0, and has solutions v\ and V 2 , i-e. 
discr(yl, B, C) > 0, and 


v z 0 A 6 = 9 £ (s z ,v z ) 

A ((exit l{s + 9v',v') A e = — 1) V 

(entry?(s + 9v',v') A £ = 1)) 

A Vox T v oy — ^ ox 
A (v' ox = »i V = v 2 ) 

A u oy = \J v ox 2 + u oy 2 - ?4, 2 

A v = v Q — Vi A v' = v' 0 — Vi A v' z = v z 

A sign(-2 ( 5 ^ - 9v iy )9v' oy ) = sign(£ + 2(5^ - 9v ix )9v' ox ) 


then we have 


separation ?(s + 9v', v") 


Proof. Using circle_correctness [Lemma 27] the goal can be reduced to: 

exit_point?(s + 9~(s z , v' z )v', v') V entry_point?(s + 9 + (s z , v' z )v' , v') 

By expanding the definitions of entry_point? and exit_point? and by simplifying, the 
goal becomes: 

(on_cyl?(s + 9 £ (s z ,v' z )v') A 
((exit?(s + 9 £ (s z , v z )v r , v') A e = — 1) V 
(entry ?(s + 9 £ (s z ,v z )v' ,v') A £ = 1)) 

Using the entry? and exit? premises we end up with the following subgoal: 

on_cyl?(s + 9 £ (s z , v z )v') 

This is discharged with cir_esc_cyl [Lemma 43] and by the premise v z = v z . 

□ 
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Theorem 45 (circle_hd_only) 

2 , 2^/2 

Vox 4" V 0 y ^ 

A v' oy = \J v ox 2 + u G y 2 - <4 A = u 0;J 
A v = v 0 — Vi /\ v' = v' 0 — Vi A v' z = v z 

D heading_only?(u 0 , v' 0 ) 

Proof. The result follows trivially by squaring both sides of the second premise and 
expanding the definition of heading_only?. 

□ 

5.4.7 The Circle Recovery Theorem 

First we prove that the constructed solution is on the boundary of the infinite 
cylinder. 

Lemma 46 (cir_rec_lem) If the quadratic equation at 2 + bt + c = 0, defined by 
A x = 4 + 0 9 - t")v' x , A y = + {6" - t")v' y , 

B# — S x + 0 Vxt ^ y — Sy @ V yi 

a = A x 2 + A y 2 — D 2 , 
b = 2 1' ( D 2 — A x B, ; — A y By) , 

c = t" 2 (B x 2 + By 2 -D 2 ), 

is a proper quadratic equation, i.e., a / 0, and has solutions t\ and/or t 2 , i.e. 
discr(a, b , c) > 0, 

(*' = ti Vt' = t 2 ) 

A = s + t"v At! / t" 

„ _ t"v x - t'v' x 
A ^ t" - 1' 

„ t"vy-t'v' y 

y t" - 1' 

D on_cyl?(s + fV + (0" — i / )'y ,/ ) 

Proof. Expanding the coefficients of the quadratic equation yields 

t' 2 [(4 + (*" - t")v' x ) 2 + (4 + ( 9 " - 1")4) 2 - ^ 2 ]+ 

2t't"[D~ — (4 + (0 W — t ,, )v x )(s x + 9"v x ) — (s^ + (0 W — t")v'y){s y + # // Uy)] + 
t" 2 ((s x + 0"v x / + (Sy + 0"v y ) 2 — -D 2 ) = 0. 

Rewriting with = s + and rearranging yields: 

— t ) — v x t t — v x t 0 + v x 6t + v x (t — t )t + v x t t \ 

+ [Sy(t W — t') — UyfY' — v'yt'9” + Vy9"t" + Uy (Y — f ' + 4^^)] 2 

= D 2 {t" — t') 2 . 
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From the premises defining v" x and v y , we get by cross-multiplication: 

«*(* ~t)=t v x -tv x , 

— t ) = t Vy ~ t V y . 

rewriting with these and re-arranging yields 

[{Sx + t'v' x + {e" -t'f 

+ [(Sy + t'v'y + ( 0 " - - i')] 2 = - t') 2 - 

Factoring out (t" — t') 2 and dividing both sides by ( t " — t') 2 yields the on_cyl? claim 
when it is expanded. 

□ 


Theorem 47 (circle_recovery) If the quadratic equation at 2 + bt + c = 0, defined by: 

A, . = 4 + {6" - t»)v' x A y = s" + (6" - t")v' y 

B. r = S x + 6"v x B y = ( Sy + 0 n Vy) 

a = A x 2 + Ay 2 - D 2 
b = 2 t"(D 2 — A. c B. e — AyBy) 
c = t" 2 (B x 2 + B y 2 - D 2 ) 

is a proper quadratic equation, i.e., a 0, and has solutions t\ and t 2 , i.e. discr( a, b, c) > 
0, and the following hold 


A 

A 

A 

A 

A 

A 


hor_speed_gt_0?(u / ) A v = v' Q — V{ A s" = s + t"v 
v z 0 A 6" = 6 + (s z ,v z ) 

6” < t" 


(t' = h Vi' = t 2 ) 


t' t 


" A v" x = 


t"v x - t'v' x 
t" - 1' 


II i V y t V y / A // 

v y = t" - t' A V Z = V Z A v z = v z 

r // i ( c\tt jt\ //i // i r // i //)// jt\ //i " ^ 
[a* + (0 - t )v x \Vx + [s y + {6 -t ) Vy\v y < 0 


then we have 


separation?(s + t'v', u w ) 


Proof. From the premises defining v" x and v”, and the premises v" z = v z = v' z , we 
get: 

v'^{t"-t') = t"v x -t'v' x , (107) 

Vy(t" — t') = t"v y — t'4) (108) 

Vy(t" ~ t') = t"Vy - t'v'y ; 
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Hence we have 


v (t — t ) = t v — tv. 

Using t"v = s" — s, and rearranging, we get 

s + U = s — {t — t )v . 

Thus the goal is reduced to separation?^" — (t" — t')v",v"). We use separationJem 
[Lemma 1] to change the starting point for the goal to 

separation?(s" — (t" — t')v" + (6" — t')v" ,v"), 

which can be simplified to 

separation?(s" + ( 9 " — t")v",v"). 

Using circle_case_correctness [Theorem 3] this goal can be reduced to: 

14 + ( e " ~ t")v"\ > H, 

entry_point?(s" + ( 6 " — t")v",v"), 

( S " + (o" - t"K'K > o. 

Claim (109) follows directly from the definition of 6 + (30). For (110) 
the definition of entry_point. This produces the subgoals 

on_cyl?(s" + (0" - t")v") 

[ S " + (o" - fKK + [»" + (<>" - t"KWy < o 
(4' + {o" - t"KK > o 

In (112), we expand on_cyl?. This reduces the goal to 

r // i i an j "l 2 i i it i /an j J i\ //i 2 2 

[Sx + ~ * ) V x\ + l s y + ~ t )v y ] = D 

From cir_rec_lem [Lemma 46] we have: 

[s x + t'v' x + {6" - t')v"f + [s y + t'v'y + (6" - t')v'y] 2 = D 2 

which is the horizontal distance to the origin at time 0" . Rearranging and substi- 
tuting formulas (107) and (108) into (116), we obtain: 

[Sa; + v x (6" — t") + t"v x \ + [Sj, + v'y{6" — t") + t"v y \ = D~ 

By s" = s + t"v, we get (112). 

The subgoal (113) is exactly the last premise. 

This leaves to prove (114). Lemma vertical_entry_exit_condition [Lemma 11] gives 
us: 

s z v z + 0"v z v z > 0 

Using s z = s" — t"v z and v z = v 1 ', we get 

(s* - t v z) v z + d v z v z > 0 

Factoring this formula yields (114) as wanted. This also proves (111). 

□ 


(109) 

( 110 ) 
( 111 ) 

we expand 

( 112 ) 

(113) 

(114) 

(115) 

(116) 
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5.4.8 The In-Circle Recovery Theorem 
Theorem 48 (in_circle_recovery) 

» z /0a/ = 9 + (s z ,v z ) A 
v' z = v z A v" = v z 

D separation_pos?(s + t'v', v") 


where separation_pos? is defined by 

separation_pos?(s, v) =V T > 0 :hor_sep?(s + Tv) V vert_sep?(s + Tv) 

Proof. Since t' = 9 + (s z ,v z ), we seek to establish 

vert_sep?(s + 9 + (s z , v z )v' + Tv") 
for all T > 0. By definition of vert_sep? this is 

\s z + 6 + (s z ,v z )v' z + Tv"\> H (117) 

Case A [v z > 0]: From dehnition of 8 + (30) we get: 

s z + 9 + (s z ,v z )v z = H 
and since v' z = v z , the goal (117) becomes: 

\H + Tv'!\ > H 

By v" z = v z , we have Tv" > 0 and the result trivially follows. 

Case B [v z < 0]: From dehnition of 9 + (30) we get: 

+ 0 + (s z ,v z )v z = -H 

and since v' z = v z , the goal (117) becomes: 

| -H + Tv"\ > H 

Now, since v" = v z . we have Tv" <0 and the result follows. 

□ 


5.4.9 The Out-Circle Recovery Theorem 
Theorem 49 (out_circle_recovery) If the quadratic equation 

v 2 A + vB + C = 0, 

defined by 

A = 49 ,2 ((s x - 9'v ix ) 2 + (s y - 0'viy) 2 ), 

B = 4 {s x -8'v ix )9'E, 

C = E 2 -4(s y -d'v iy ) 2 d' 2 (v 2 ox +v 2 oy ), 

E = (s x — 9 Vi x ) 2 + ( s y — 9 Vi y Y + 6 ~v 2 x + 9 2 v 2 y — D~ 
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is a proper quadratic equation, i.e., A / 0, and has solutions v\ and V 2 , i.e. 
discr( J 4, B, C) > 0, and 

v z + 0 A 9' = t' = 0~(s z ,v z ) 

A s" = s + t"v 

Vox “1“ V 0 y A V ox 
A Wox = Vl V v’ ox = V 2 ) 

A v'oy = \J Vox 2 + V oy 2 ~ v ' ox 2 

A v = v Q — Vi /\ v z = v z /\ v z = v z 

A sign(-2(s y - 0'v iy )0'v' oy ) = sign (£7 + 2 ^ - O' v ix )d' v' ox ) 

A exit?(s + 0'v',v") 

D separation ?(s + ?V,u // ) 


Proof. Using the lemma circle_case_correctness [Theorem 3], the goal is reduced to 

Is* + > iL, (118) 

exit_point?(s + t'v',v"), (119) 

(s z + t'v' z )v” < 0 (120) 

Claim (118) is easily discharged using reaching_H_theta [Lemma 10]. By the exit? 
premise, (119) reduces to on_cyl?(s + f , 'i/) which is proven by cir_esc_cyl [Lemma 43]. 
This leaves us with 

(s z + t'v' z )v z < 0. 

Substituting with t' = O' ,v' z = v z and v" z = v z yields: 

(s* + 0'v z )v z < 0 (121) 

From the definition of 0~(s z ,v z ) described in (29), we obtain 

0'v z = s z - sign(u~)iL 

and so the goal simplifies to 


-sign (v z )Hv z < 0. 


Case analysis whether or not v z > 0 solves this goal. 

□ 

5.4.10 Timeliness Properties 
Lemma 50 (timeliness) 


j _l j .// A // 

t t A v x = 


t"v x - t'v' x 
t" - 1' 


A 


„ t"Vy ~ t'v' 

v y = t " - t' A v * = Vz A v z= v z 
D a + t"v = s + t'v' + [t" - t')v" 


(122) 
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Proof. The result follows trivially by cross-multiplying premises 2 and 3. 

□ 


Theorem 51 (alpha_timeliness) 


A 

A 

A 


,/ _L 4." * // 

t r t a v x 


t"v x — t'v' x 
t" - 1' 


v'y = an% A v' y -av' x ^ 0 


v' y - av' x 

v' z = v z A v" z = v z 
D s + t"v = s + t'v' + (t" 


t')v 


// 


Proof. Using timeliness [Theorem 50] the goal is reduced to 

t” v y - t'v' 

V = — 

y t" - 1' 

Cross-multiplication, replacement by v'y = av'f, and rearrangement reduces this to 

av'f{t" -t') = t" Vy -t'v' y . (123) 

Multiplying both sides of the defining premise of v'f. by it" — if) a and re-arranging 
yields 

v x at" = v x at" — v" x a£ + v' x at' (124) 

Cross-multiplying the defining premise of t' yields 

/ j j / ,/ ,// ,// 

Vyt — v x at. = Vyt — v x at 

Replacing (124) in this equation and simplifying yields (123) as wanted. 

□ 


Theorem 52 (vor_timeliness) 


A 

A 


J.' _L J / A // 

t f 1 1 A v ox — 


t'v'ox - t"v Q 


// 

v oy ~ 


OX t' - t" 
t'v', — t"v, 


oy 
t' - t 


oy , 

-L a v'z = v z 


A v'f = v z 


v = v 0 - Vi A v' = v' Q - Vi A v" = v'f - Vi 

, ,// | ,/ / | (.a j\ n 

D s + tv = s + tv+(t — t)v 


Proof. Using lemma timeliness the goal is reduced to 

n t V x t V x 

Vx ~ t' - 1" 
n _ t'v'y ~ t'^y 
Vy t' - t" 

Modulo the definitions of v, v' , and v " , the cross-multiplied versions of these equa- 
tions match the cross-multiplied versions of premises 2 and 3. 

□ 
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5.4.11 Line/line 

The line/line situation is shown in Figure 4. 

Theorem 53 (llhd) If a' = alpha_calc(— 1, s) or a! = alpha_calc(l, s), and the 

quadratic equation 

v x(l + a ' 2 ) + 2 v x( v ix + a>v iy) + vfx + V?y - Vox ~ v oy = 0 

has solutions x\ and X 2 , i.e., the discriminant is non-negative: 

dlSCr(l + OL , 2 Vix T CX Viy , Vi x '0%y V ox V oy ) ^ 0 

then 


A 

A 

A 

A 

A 

A 

A 

A 

A 

A 


v = v 0 — Vi f\ v = v 0 — Vi A s = s + t v 
S X 2 + Sy 2 > D 2 

2 I 2 / 2 I 2 

Vox 4“ Voy j- Vi x T V%y 

hor_speed_gt_0?(V) A hor_speed_gt_0?(u w ) 

W x = xi V v' x = x 2 ) 
v' y = a' v' x A t" / t' 

// 2 . // 2 2 \ n a // / n 

— -D 

a" = alpha_calc(£, s w ) A v' y — a /, i4 / 0 
, = „ v y -a"v x 
v'y - o"v' x 

n = t"v x ~ t'v'x 
x t" - t' 

v'y = A v' z = v z A v " = v z 

D 

separation?(s, r/) A 
separation?(s + fV, u w ) A 
heading_only?(u 0 , v' a ) A 

i i / / | ,/ / - /,// ,/\ // 


Proof. The theorem follows directly from the four theorems line_escape [Theorem 40], 
line_recovery [Theorem 42], line_esc_hd_only [Theorem 41], and alpha_timeliness [The- 
orem 51]. 

□ 


5.4.12 Line/circle 

The line/circle situation is depicted in Figure 5. 
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Theorem 54 (Ichd) If a' = alpha_calc(— 1, s) or a' = alpha_calc(l, s), and the 

quadratic equation 

v x(l + a ' 2 ) + ^ v x( v ix + OLViy) + vfx + v iy — v ox ~ v oy = 0 

has solutions x\ and X 2 , i.e., the discriminant is non-negative: 

discr(l d~ CX , %Vi x T ^ ^-Hy I ^ix T ^iV V ox ^oy ) ^ 0 
and the quadratic equation at 2 + bt + c = 0, defined by 

A x = S x + (0 -t )v x Ay = s y + (0 -t )v y 

B x — &x d“ @ Vx — Sy T @ ^ y 


a = A x 2 + A y 2 - D 2 
b = 2 1." (D 2 — A x Bx — AyBy) 

c = t"\ B, 2 + By 2 - D 2 ) 


is a proper quadratic equation, i.e., a 0, and has solutions t,\ and t. 2 , i-e., 
discr(a, b, c ) > 0, then 


A 

A 

A 

A 

A 

A 

A 

A 

A 


II A a II I 4-11 

v = v a — Vi A v = v 0 — Vi A s = s + t v 
S x T 5^ D A V ox V 0 y 7“ ^ix d“ 

h or_s p eed _gt_0 ? ( t/ ) 

(v x = xi V v' x = x 2 ) 

v' y = av' x A v' z = v z A v z 0 

0 " = 0 + (s z ,v z ) A 0 " < 

(i' = h V t! = t 2 ) 


t 7 t 


" A < 


*"ttx - ^ 
f" - t' 


- t'v'y 

t" ~ t' 


A v' z = v z A v" = v z 


r " I I nil Jf\ 111 // I r II I //)// //l If ^ n 

[«x + \ e - t ) v x\ v x + [»« + ( 0 - t KK ^ 0 


D 


separation?^,?/) A 
separation?(s + fV, i/ 7 ) A 

heading_only?(v 0 , v' 0 ) A 

, ,11 | #/ / | /,// ,/\ // 
s + + — t )v 


Proof. The theorem follows directly from line_escape [Theorem 40], circle_recovery 
[Theorem 47], line_esc_hd_only [Theorem 41], and timeliness [Theorem 50]. 

□ 


59 



5.4.13 Circle/line 

A circle/line maneuver is shown in Figure 6. 
Theorem 55 (cl hd) If the quadratic equation 

v 2 A + vB + C = 0, 


defined by 

A = 40 ((s x — 9 Vi x ) 2 + (sy — 9 Viy) 2 ), 

B = 4 {s x -9'v ix )9'E, 

C = E 2 -4(s y -9'v iy ) 2 9' 2 (vl x + v 2 oy ), 

E = ( s x — 9 Vix) 2 + ( s y — 9 Viyfi + 9 v 2 x + 9 v 2 y — D" 

is a proper quadratic equation, i.e., A 0, and has solutions v\ and V 2 , i-e. 
discr (A,B,C) > 0, then 


A 

A 

A 

A 

A 

A 

A 

A 

A 

A 

A 


v = v 0 — Vi A v = v' a — Vi A s" = s + t"v A v z 0 
9' = 9~(s z ,v z ) A exit?(s + 9'v', v') 

Vox A V 0y A V QX 
Vox = «1 V v' ox = V 2 

V'oy = \J Vox 2 + V oy 2 - V' ax 2 A V' Z = V Z 

sign(— 2 (Sy - 9'viy)9'v' oy ) = sign(F; + 2 (s x - 9' v ix )9' v' ox ) 

hor_speed_gt_0?(V / ) A t" t! 

II 2 . ii 2 7t 2 \ n a // / cv 

5^ + 5^ — JU 0 A Sy 0 
a' 7 = alpha_calc(£, s w ) A v' y — ol' v' x 0 
I _ // Vy — cx v x 
v' y ~a"v' x 
„ _ t"v x - t'v' x 
Vx t" - 1' 

Vy = a v x A v z = v z A v z = v z 
D 

separation?(s, v') A 
separation?(s + iV, i/') A 
heading_only?(u 0 , v' a ) A 
s + = s + iV + (i w — 


Proof. The theorem follows directly from circle_escape [Theorem 44], line_recovery 
[Theorem 42], circle_hd_only [Theorem 45], and alpha_timeliness [Theorem 51]. 

□ 
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5.4.14 Circle/circle 


Circle-circle solutions are shown in Figure 8. 


Theorem 56 (cchd) If the quadratic equation 


v 2 A + vB + C = 0, 


defined by 


A — 40 (( s x — 6 Vi x fi + (sy — 8 Viy ) 2 ), 

B = 4 {s x -8'v ix )8'E, 

C = E 2 -4{s y -8'v iy ) 2 9' 2 (v 2 ox + v 2 oy ), 

E = (s x — 9 Vix) 2 + ( s y — 9 Viy) 2 + 9 v 2 x + 9 v 2 y — D~ 


is a proper quadratic equation, i.e., A 0, and has solutions v\ and V 2 , i-e. 
discr(T, B , C ) > 0, and the quadratic equation at 2 + bt + c = 0, defined by 


A x = sl + {8"-t")v' x 

^a; = (s x + 0 V x ) 


Ay = s" + (8" - t") V ' y 

= ( s y A- 0 v y ) 


a = A x 2 + A y 2 — D 2 

b = 2 1” [D 2 — Aj-Bj; — AyBy) 

c = t" 2 ( B, 2 + By 2 - D 2 ) 


is a proper quadratic equation, i.e., a 0, and has solutions t\ and t 2 , i.e. discr( a, b, c) > 
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0, then 


A 

A 

A 

A 

A 

A 

A 

A 

A 

A 


v = v 0 — Vi A v' = v' a — Vi A s" = s + t"v A v z / 0 
0' = 0~(s z ,v z ) A exit ?(s + 0'v',v') 

Vox 2 + v oy 2 > v' ox 2 A {v' ox = vi V = U2) 


?7 = 

°y 


■ V 2 — ^i/ 2 
u ox 


A vl = v* 


sign(— 2(s,, - O' v iy )6' v' oy ) = sign(£’ + 2 (s x - 0'v ix )0'v\ 
hor_speed_gt_0?(V) A v z Y 0 
0" = 0 + (s z ,v z ) A 0" < 

(t' = ti V t! = t 2 ) 

i/ -L Jt A „.// 

t T 1 t A Up — 


ox J 


t"v x — t'v' x 


t" - 1' 

t"v -f'v' 

v 'y = t" -t' V A v 'z = Vz A = Vz 

[4 + (o" - f)4\4 + K + ( 0 " - f'KK < o 


D 


separation?(s, v') A 
heading_only?(u 0 , w^,) A 
separation?(s + tV, v") A 
s + tu = ,s + fu+(t — t)v 


Proof. The theorem follows directly from circle_escape [Theorem 44], circle_recovery 
[Theorem 47], circle_hd_only [Theorem 45], and timeliness [Theorem 50]. 

□ 


5.4.15 In-circle 

In-circle solutions are shown in Figure 9. 

Theorem 57 (ichd) If the quadratic equation 

v 2 A + vB + C = 0 


defined by 

A = 40 (( S x — 0'v ix f + (Sy — 0 Viy) 2 ), 

B = 4 (s x -0'v ix )0'E, 

C = E 2 -4(s y -0'v iy ) 2 0' 2 (v 2 ox + v 2 oy ), 

B = (s x — 0 Vi x ) 2 + ( s y — 0 ViyY + 0 v 2 x + 0 ~v 2 y — D" 

is a proper quadratic equation, i.e., a / 0, and has solutions v\ and v 2 , i.e. discr(T, B , C ) > 
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0, and 


A 

A 

A 

A 

A 

A 

A 

A 

A 


v = v 0 - Vi A v' = v' 0 - Vi A v" = v" - Vi 
v z / 0 A 6" = 9 + (s z ,v z ) 
entry?(s + 0"v', v') 

Vox 

( v' ox = vi V v' ox = v 2 ) 


2 ^ / 2 
v oy > V ox 


/ 2 
OX 


V'nn, = \/V OX 2 + Voy 2 - V\ 

sign(-2(s ?/ - 9" Viy)6” v'oy) = sign(£’ + 2 (s x - 6' l v ix )e''v\ 
t' = 9 " A 9" < t" 

,, _ t'v'ox ~ t" v ‘ 


OX ) 


ox 


°x t , _ t n 

v oy = fL ° V t i_ ■ A V 'z = v z A v" z = V Z 
D 

separation?(s, v') A 
heading_only?(v 0 , v' 0 ) A 
separation_pos?(s + t'v', v") A 

i at , ./ / i /,// // 

S + + — t)v 


Proof. The theorem follows directly from circle_escape [Theorem 44], in_circle_recovery 
[Theorem 48], circle_hd_only [Theorem 45], and vor_timeliness [Theorem 52]. Instead 
of separation_pos?, separation?(s + t'v',v”) would be a more general result, but it is 
not required. All that is required is separation over the interval [t r , t"]. This interval 
is covered with the separation_pos? predicate. 

□ 


5.4.16 Out-circle 

Out-circle solutions are shown in (Figure 10). 
Theorem 58 (ochd) If the quadratic equation 

v 2 A + vB + C = 0 


defined by 

A = 49 (( s x — 9'vi X Y + ( s y ~ 9 ViyY ), 

B = 4 (s x - 9' Vix )9'E, 

C = E 2 -4{s y -9'v iy ) 2 9 , \v 2 ox + vl y ), 

E = (s x — 9'vix) 2 + ( s y — 9 Viy) 2 + 9 v 2 x + 9 v 2 y — D" 
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is a proper quadratic equation, i.e., A / 0, and has solutions v\ and V 2 , i.e. 
discr(T, B, C) > 0, and 

v = v 0 -Vi A v' = v' 0 - Vi A v" = v'o - Vi 
A s" = s + t"v A v z ^ 0 A 6' = 0~(s z ,v z ) 

A exit?(s + 9'v' , u') A v ox 2 + v oy 2 > 

A K* = «i v v'ox = v z) 

A v oy = \J v ox 2 + v oy 2 ^oa; 

A sign(-2(s ?; - o' Viy)6' v' oy ) = sign (£ + 2(sj; - O' v ix )0' v' ox ) 

A t' = O' A O' < t" 

A exit?(s + #V, u // ) A [s^ — (i /; — t')v z ]v z < 0 
A // = t’Vpx - t>,v ox 
ox f - t" 

A // _ t v 'oy ~ t" v oy 
v °y ~ f ,_ t n 

A v z = v z A v z = v z 

D 

separation?(s, v') A 
heading_only?(u 0 ,?4) A 
separation?(s + fV, u w ) A 
s + = s + iV + (i w — 

Proof. The theorem follows directly from circle_escape [Theorem 44], out_circle_recovery 
[Theorem 49], circle_hd_only [Theorem 45], and vor_timeliness [Theorem 52]. 

□ 

5.4.17 Special Cases 
Theorem 59 (line_escape_0) 

V — V 0 Vi A V 0 x T ^oy A Vi x 

A D — Si" A V qx — Vi x 

D separation?(s, v') 

Proof. First we use separationJem [Lemma 1] to change the goal to 

separation?(s + r(s, v')v', v') 

Next, using line_case_correctness [Theorem 2] we can establish this goal if we prove 
tangent_point? (s + r(s, v')v', v'). To do this we use the lemma tau_is_tangent_pt 
which reduces the goal to tangent_condition?(s, v'), which expands to 

D i V x + v y ) = ( s xV y - S y V x ) 
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From the premises v' = v' Q — Vi and v' ox = V{ x we obtain: v' x = 0. The goal follows 
by premise D 2 = s x 2 . 

□ 


Theorem 60 (line_esc_0_hd_only) 

Vox T v 0 y “ ^ Vj x A v ox — Vix A 
v' oy = e^J Vox 2 + Voy 2 - Via ; 2 A = ^02 

D heading_only?(u 0 , v' 0 ) 

Proof. To establish heading_only?(i; 0 , v' a ), we must show v' ox + u^ 2 = v ox 2 + u oy 2 A 
Uo 2 = v oz . Using the premises v' ox = V{ x and v' oz = v oz we can reduce this to 
Vix 2 + = Vox 2 + Voy 2 • This follows trivially by squaring both sides of the 

definition of v' oy . 

□ 

The next theorem describes a strange maneuver. During the escape course, the 
ownship solves the conflict; during the recovery course, it only waits. 


Theorem 61 (llhd_recovery_0) 

hor_speed_gt_0?(V / ) 

A D 2 = (s x + t"v x ) 2 

A „;/oa t' = 

v'x 


A 


0 A Vy 


t" V y - t'v'y 

t" - if 


A v' z =v z 


D separation ?(s + t'v',v") 


A // 

/\ v z =v z 


Proof. Define s" = s + t"v. Using separation_lem [Lemma 1] we change the starting 
point for the goal: 


separation?^ — ( t " — t')v" + v ") — t! + t")v" , v ") 


which can be simplified to 

separation?(s // + t(s" , v")v",v") 

Using line_case_correctness [Theorem 2] this goal can be reduced to: tangent_point?(V / + 
r(s"/K/). 

Next using lemma tau_is_tangent_pt the goal is simplified to proving tangent_condition?(.s w , v"), 
which expands to 

^ [V x +V y ) = - S y V x ) . 

Since v x = 0, this reduces to 

1-.2 Z /2 / // //\2 

D v y = ( s x v y) • 

Since a premise provides that = D 2 , this equality is true. 

□ 
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Theorem 62 (llhd_recovery_B) 


hor_speed_gt_0?(u w ) A s" = s + t"v 

A D 2 = sf A v' x 7 ^ 0 A t" 7 ^ t! 

A t' = A v" = 0 

-Jt' ^ 


* / a // 

A v z = v z A v z = v z 

D separation?^ + tV, u") 


Proof. As in the proof of llhd_recovery_0 the goal can be reduced to 

7~i 2/ "2 //2s. / // // // //s.2 

D {V X + Vy ) = (. S X Vy - SyV x ) 


This goal follows from the premises v'f = 0 and D 2 = s" x by simplification. 


6 Conclusion 

In this paper, a formal safety approach to the development of Air Traffic Manage- 
ment (ATM) systems is advocated. An example of the first step of this approach — 
the formal verification of a critical component of a distributed ATM concept (an air 
traffic resolution and recovery algorithm) — is presented. 

One reason formal verification is valuable is that it provides the system designer 
with a much better means to handle the inherent unpredictability of complex sys- 
tems. Once the behavior of some of the system’s components is fully understood 
(through the formal verification process), the properties of other unpredictable com- 
ponents can be characterized more easily. Using a set of algorithms whose behavior 
is fully understood under explicitly enumerated assumptions greatly aids the de- 
signer of ATM operational concepts. Not only is the designer liberated from having 
to define contingency plans for failures of the algorithm, but by knowing the assump- 
tions built into the algorithm, the designer has explicit knowledge about where to 
concentrate attention in order to produce a robust and safe operational concept. In 
this approach, human-in-the-loop simulation and expensive flight experiments are 
used to validate assumptions made during the formal verification. This is a ma- 
jor shift from traditional approaches where testing and simulation drive the safety 
validation and certification of avionics systems. 

Proof-of-correctness of an algorithm does not guarantee a fault-free system. 
Complete verification of a system implementation must deal with many other con- 
siderations that do not arise in an abstract algorithm such as floating point overflow 
and underflow, validity of input data, meeting real-time deadlines, communication 
flaws, etc. Furthermore, at the system design level, additional algorithms are intro- 
duced to handle inter-aircraft communications (e.g. ADS-B), to detect and mask 
faulty input data, to format output data for pilot displays, to schedule execution, 
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Figure 11. System Verification 


and to coordinate with other systems. All of these algorithms must be shown to 
satisfy critical safety properties in addition to the core resolution and recovery al- 
gorithm. 

Nevertheless, the verification of a resolution and recovery algorithm is a fun- 
damental step toward complete verification of an ATM system. In particular, as 
the RR3D algorithm is refined into a high-level design and then translated into a 
programming language, additional formal proofs will be constructed. An ATM sys- 
tem that integrates an implementation of RR3D will be then formally supported by 
several layers of abstraction (Figure 11). These kinds of system design properties 
have not been addressed. Some issues related to system verification that will be 
addressed as the research continues include: 

• Strategic Resolution and Recovery. RR3D is a state-based algorithm 
with minimal intent information. It propagates an aircraft trajectory based on 
current location, velocity, and an arrival time constraint. The arrival time con- 
straint makes RR3D suitable for strategic CD&R. Indeed, Geser and Munoz 
describe in [7] an algorithm that incorporates RR3D to a conflict-free flight 
planner. The correctness of the flight planner is based on the correctness of 
RR3D. A separate resolution and recovery algorithm enables the decomposi- 
tion of the flight planner into less complex parts and, more importantly, the 
decomposition of its correctness proof. 

• Geodesic Coordinates. As with most geometric ATM algorithms, RR3D 
is presented in a Cartesian coordinate system that assumes a flat earth. An 
interface module has been developed that converts from geodesic coordinates 
to a Cartesian coordinates eliminating errors due to the flat earth assumption. 
The formalization and correctness proof of the coordinate transformation is in 
progress. 

• Floating Point Errors. The formalization of RR3D assumes exact real arith- 
metic, whereas programming languages provide only floating point arithmetic. 
It is well-known that floating point numbers do not satisfy even elementary 
properties of real numbers. An interval analysis of RR3D that considers float- 
ing point inaccuracy errors, underflows, and overflows will complement a pre- 
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liminary work on refinement of abstract algorithms into real-life programming 
languages. 

A formal safety approach to the design and verification of ATM systems pro- 
vides an intellectually defensible means to move advanced technology into the na- 
tional airspace. Current research approaches — which center around comparative 
studies — can only establish some characteristics of a proposed system in precon- 
ceived scenarios. Formal analysis, including appropriate assumptions, provides an 
objective, absolute statement about a proposed system over all possible scenarios. 
Admittedly this analysis is a difficult and time-consuming endeavor. But, as un- 
precedented amounts of software are introduced in new safety critical roles, a more 
comprehensive assessment of safety is needed. 
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7 Appendix 

7.1 Errors Found and Missing Assumptions 

While checking the hand- written proof of RR3D presented in [1], we have discovered 
the following errors and missing assumptions (all formula and section numbers refer 
to [1]): 

• Definition of C in Formula 4.16 should be: 

C = E*-4(s y -e'v iy fe'\vl + v 2 oy ) 

A square expression was missing in the original formula. 

• The escape-circle case in Section 4.3 should refer to formula 

(&X T @ (fc'Uox Vix)) (kv 0 x Vix) T 

( S' !J T 0 ( kv 0 y Viy)^}{kv 0 y Viy ) A 0 

instead of Formula 4.28. 

• The recovery-circle case in Section 4.3 should refer to formula 

(s'x + (0" - t"){jv ox - v ix ))(jv ox - v ix ) + 

(s'y + ( 0 " - t")(jVoy - Viy))(jVoy - V iy ) > 0 

instead of Formula 4.31. 

• Solutions to Equation 4.42 are valid only under the assumption: 

O'v'oy{s y - 0'v iy )(E + 2 O'v' ox (s x - d' v ix )) < 0 


• The correct definition of a" in the solution of Formula 4.46 is 

a = -(D -s y )/(2 s x s y ) 

A negative symbol is missing in the original formula. 

• The circle/circle derivation in Section 4.4 is invalid. The formal verification 
reported in this paper contains a valid derivation. 

7.2 Proofs Of Some Useful Lemmas 
Lemma 14 (signs_are_opposite) 

-ipred_sep?(s, v, t") A |s*| > H 
D sign (s z ) = — sign(u^) 
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Proof. From -ipred_sep?(s, v, t") we obtain ->vert_sep?(s + tv) for some time t, where 
0 < t < t". From definition of -ivert_sep? we get |s 2 + tv z \ < H. 

Case 1 [v z >0]: If sign(s 2 ) = —1, then the goal is reached trivially. If sign(s 2 ) = 1, 
then s z > 0, so by the second premise H < s z . We also observe that tv z > 0 so, 
s z + tv z > H. This yields a contradiction with the ->vert_sep?(,s + tv) premise. 

Case 2 [v z < 0]: If sign(s 2 ) = 1, then the goal is reached trivially. If sign(s 2 ) = — 1, 
then s z < 0, so by the second premise s z < —H. We also observe that tv z < 0 so, 
s z + tv z < —H. This yields a contradiction with the -ivert_sep?(s + tv) premise. 

□ 


Lemma 15 (signs_ve_z) 


->pred_sep?(s, v, t") A \s z \>H A C > 0 A 

/ —sign (v z )H-s z , 

v z = ^ A v z + 0 

D sign(v') = sign(u 2 ) 

Proof. Using lemma signs_are_opposite [14] we get sign(s 2 ) = — sign(u 2 ). Rewriting 
the definition of v' z with this and cross-multiplying we get: 

v' z C = sign (s z )H - s z 

Case 1: \v' z > 0]: Expanding sign, we have: v' z C = PI — s z from which the result 
easily follows. 

Case 2: [v' z < 0]: Expanding sign, we have: v' z C = — s z — H. Since magnitude of s z 
is greater than H we have the desired result. 

□ 


Lemma 16 (signs_vr_z) 


A 

A 

A 


-■pred_sep? (s, v, t") A |s 2 | > PI 
/ _ — sign(u 2 )i7 - s z 
Vz ~ C 

t" -C> 0 A C>0 
// t"v z - v' z C 

V — 

t" - c 

D sign(u") = — sign(s 2 ) 


Proof. Using lemma signs_are_opposite we get sign(s z ) = — sign(u 2 ). Cross-multiplying 
definition of v' z yields: v z C = —s\gr\(v z )P[ — s z . Cross-multiplying definition of v" z 
yields: v z {t" — C) = t"v z — Cv' z Rewriting the second formula with the first formula 

v z (t" - C) = t"v z - (—sign (v z )H - s z ). 


From definition of vert_sep? we get |s 2 + t*v z \ < H. One then case splits on both 
v z > 0 and v z > 0 and simplifies all formulas. Inequality reasoning involving v z t* 
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and v z t* yields the desired result. 

□ 


7.3 Mapping of Notation to PVS 


s 

s 

relative ownship position 

m 

se 

relative turn point 

s" 

sr 

relative final position 

V 

V 

relative ownship velocity 

v' 

ve 

relative ownship escape velocity 

v" 

vr 

relative ownship recovery velocity 

Vx 

v‘x 

x component of relative ownship velocity 

iE9 

ve‘y 

y component of relative escape velocity 

v" 

U Z 

vr‘z 

z component of relative recovery velocity 

t 

t 

time variable 

t! 

te 

turn time 

t" 

tr 

final time 
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